Windows Analysis Report Proforma Invoice.exe

Overview

General Information

Sample Name: Proforma Invoice.exe
Analysis ID: 491978
MD5: 05dea597f5e2fdaf7dd91dc2732eb54b
SHA1: 6067e82bf295eb76c415a5c4910ea578bae96933
SHA256: 6e6d502d455f4d1db45f465ff69d1d2f53a78afffbda8e6bc2b12c99ca012926
Tags: exeInvoice
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Initial sample is a PE file and has a suspicious name
.NET source code contains very large strings
Executable has a suspicious name (potential lure to open the executable)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Proforma Invoice.exe Virustotal: Detection: 19% Perma Link
Source: Proforma Invoice.exe ReversingLabs: Detection: 24%

Compliance:

barindex
Uses 32bit PE files
Source: Proforma Invoice.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Proforma Invoice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 4x nop then jmp 05F01B4Eh 1_2_05F01B08
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 4x nop then jmp 05F01B4Eh 1_2_05F01BE4
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 4x nop then jmp 05F01B4Eh 1_2_05F01B65
Source: Proforma Invoice.exe, 00000001.00000002.384252504.0000000002D84000.00000004.00000001.sdmp String found in binary or memory: http://schemas.m

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Proforma Invoice.exe
.NET source code contains very large strings
Source: Proforma Invoice.exe, Castle.Samples.Extensibility/UI/Input.cs Long String: Length: 75776
Source: 1.0.Proforma Invoice.exe.990000.0.unpack, Castle.Samples.Extensibility/UI/Input.cs Long String: Length: 75776
Source: 1.2.Proforma Invoice.exe.990000.0.unpack, Castle.Samples.Extensibility/UI/Input.cs Long String: Length: 75776
Source: 4.2.Proforma Invoice.exe.130000.0.unpack, Castle.Samples.Extensibility/UI/Input.cs Long String: Length: 75776
Source: 5.2.Proforma Invoice.exe.80000.0.unpack, Castle.Samples.Extensibility/UI/Input.cs Long String: Length: 75776
Source: 5.0.Proforma Invoice.exe.80000.0.unpack, Castle.Samples.Extensibility/UI/Input.cs Long String: Length: 75776
Executable has a suspicious name (potential lure to open the executable)
Source: Proforma Invoice.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Proforma Invoice.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Sample file is different than original file name gathered from version info
Source: Proforma Invoice.exe Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000001.00000002.394557947.0000000003DA3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000001.00000002.383529720.0000000000992000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000004.00000002.355667372.0000000000132000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000004.00000002.355919793.0000000000595000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Proforma Invoice.exe
Source: Proforma Invoice.exe Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000005.00000002.356678194.0000000000082000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000005.00000002.356866662.0000000000535000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Proforma Invoice.exe
Source: Proforma Invoice.exe Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000006.00000002.362518414.00000000009A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000006.00000002.362605907.0000000000E35000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Proforma Invoice.exe
Source: Proforma Invoice.exe Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000007.00000002.372325904.0000000000CB2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000007.00000002.372402576.0000000001135000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Proforma Invoice.exe
Source: Proforma Invoice.exe Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000008.00000000.375243263.00000000002B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000008.00000002.383624530.0000000000735000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Proforma Invoice.exe
Source: Proforma Invoice.exe Binary or memory string: OriginalFilenameSearchResultHandl.exeJ vs Proforma Invoice.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D90D38 1_2_05D90D38
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D9DE40 1_2_05D9DE40
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D911D0 1_2_05D911D0
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D9D1E8 1_2_05D9D1E8
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D911E0 1_2_05D911E0
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D93591 1_2_05D93591
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D90D28 1_2_05D90D28
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D972C0 1_2_05D972C0
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05D972B2 1_2_05D972B2
Source: Proforma Invoice.exe Virustotal: Detection: 19%
Source: Proforma Invoice.exe ReversingLabs: Detection: 24%
Source: Proforma Invoice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proforma Invoice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Proforma Invoice.exe 'C:\Users\user\Desktop\Proforma Invoice.exe'
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log Jump to behavior
Source: classification engine Classification label: mal76.evad.winEXE@11/1@0/0
Source: C:\Users\user\Desktop\Proforma Invoice.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Proforma Invoice.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Proforma Invoice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Proforma Invoice.exe, Castle.Samples.Extensibility/UI/ApplicationShell.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Proforma Invoice.exe.990000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Proforma Invoice.exe.990000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Proforma Invoice.exe.130000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Proforma Invoice.exe.80000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Proforma Invoice.exe.80000.0.unpack, Castle.Samples.Extensibility/UI/ApplicationShell.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proforma Invoice.exe Code function: 1_2_05F03EFD push FFFFFF8Bh; iretd 1_2_05F03EFF
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.Proforma Invoice.exe.2d8482c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.384252504.0000000002D84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Proforma Invoice.exe PID: 6612, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Proforma Invoice.exe, 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Proforma Invoice.exe, 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6616 Thread sleep time: -35345s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6672 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Proforma Invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Thread delayed: delay time: 35345 Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Proforma Invoice.exe, 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Proforma Invoice.exe, 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Proforma Invoice.exe, 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Proforma Invoice.exe, 00000001.00000002.384187519.0000000002D41000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Proforma Invoice.exe Queries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491978 Sample: Proforma Invoice.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 76 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected AntiVM3 2->21 23 .NET source code contains potential unpacker 2->23 25 4 other signatures 2->25 6 Proforma Invoice.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\Proforma Invoice.exe.log, ASCII 6->17 dropped 9 Proforma Invoice.exe 6->9         started        11 Proforma Invoice.exe 6->11         started        13 Proforma Invoice.exe 6->13         started        15 2 other processes 6->15 process5
No contacted IP infos