Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EXPORT INVOICE.pdf.scr

Overview

General Information

Sample Name:EXPORT INVOICE.pdf.scr (renamed file extension from scr to exe)
Analysis ID:625078
MD5:2cf09341b87d20404a6d824305ea5419
SHA1:ec9de894d7cb09ed3940db31dfc7a39cc1280acd
SHA256:2b21885c68cf8bcee3be7e08574372130a42c74a047b1f962cc5e270bb7b543e
Tags:exe
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Uses an obfuscated file name to hide its real file extension (double extension)
Machine Learning detection for sample
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • EXPORT INVOICE.pdf.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe" MD5: 2CF09341B87D20404A6D824305EA5419)
    • WerFault.exe (PID: 5336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: EXPORT INVOICE.pdf.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: EXPORT INVOICE.pdf.exeVirustotal: Detection: 37%Perma Link
Source: EXPORT INVOICE.pdf.exeReversingLabs: Detection: 34%
Machine Learning detection for sample
Source: EXPORT INVOICE.pdf.exeJoe Sandbox ML: detected
Source: EXPORT INVOICE.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: EXPORT INVOICE.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Xml.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: Accessibility.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: .pdb08 source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Configuration.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: (P5oLC:\Windows\Microsoft.VisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdbH source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb4" source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: np@oVisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: C:\Users\user\Desktop\EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.370373493.000000000867D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wM
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comionm
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371160843.000000000867D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com;
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comW
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comWT
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cndnl
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.379986920.000000000864D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.379854422.000000000864E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comrmW
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.371908716.0000000008647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: EXPORT INVOICE.pdf.exe, 00000001.00000003.373268434.0000000008648000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.373229768.0000000008647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netr
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

System Summary

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sampleStatic PE information: Filename: EXPORT INVOICE.pdf.exe
Source: initial sampleStatic PE information: Filename: EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: EXPORT INVOICE.pdf.exeBinary or memory string: OriginalFilename vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.364000331.0000000000FB2000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameIRuntimeEvidenceFact.exe< vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000000.412654077.000000000A0E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFort.dll" vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exe, 00000001.00000002.432550901.000000000329A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFort.dll" vs EXPORT INVOICE.pdf.exe
Source: EXPORT INVOICE.pdf.exeBinary or memory string: OriginalFilenameIRuntimeEvidenceFact.exe< vs EXPORT INVOICE.pdf.exe
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280
Source: EXPORT INVOICE.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_0327216B
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03271768
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_0327B52C
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_032704D0
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03270FD8
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273313
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_032753E8
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_032753F8
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273205
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273120
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_032751B1
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273184
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_032751C0
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273070
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03275629
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03275638
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_0327352C
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_032734AF
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03274B38
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03274B48
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_0327580B
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03272F79
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273FB1
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03270F92
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_03273FC0
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_0A0C8A90
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_0A0CEFC0
Source: EXPORT INVOICE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: EXPORT INVOICE.pdf.exeVirustotal: Detection: 37%
Source: EXPORT INVOICE.pdf.exeReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeFile read: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeJump to behavior
Source: EXPORT INVOICE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: unknownProcess created: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe "C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe"
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7108
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3FE.tmpJump to behavior
Source: classification engineClassification label: mal68.evad.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: EXPORT INVOICE.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: EXPORT INVOICE.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Xml.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: Accessibility.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: .pdb08 source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Configuration.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: (P5oLC:\Windows\Microsoft.VisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdbH source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb4" source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: np@oVisualBasic.pdb source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Drawing.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: C:\Users\user\Desktop\EXPORT INVOICE.pdf.PDB source: EXPORT INVOICE.pdf.exe, 00000001.00000002.431660195.0000000001357000.00000004.00000010.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.413234649.0000000001357000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERC3FE.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WERC3FE.tmp.dmp.7.dr
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_00EF23FC push esp; ret
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeCode function: 1_2_00EF2418 push cs; retf
Source: initial sampleStatic PE information: section name: .text entropy: 7.63374734815

Hooking and other Techniques for Hiding and Protection

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exeStatic PE information: EXPORT INVOICE.pdf.exe
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe TID: 7112Thread sleep time: -45733s >= -30000s
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeThread delayed: delay time: 45733
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILSANUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\EXPORT INVOICE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Process Injection		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common12
Obfuscated Files or Information		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EXPORT INVOICE.pdf.exe37%VirustotalBrowse
EXPORT INVOICE.pdf.exe34%ReversingLabsByteCode-MSIL.Trojan.Generic
EXPORT INVOICE.pdf.exe100%AviraHEUR/AGEN.1202539
EXPORT INVOICE.pdf.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.EXPORT INVOICE.pdf.exe.ef0000.0.unpack100%AviraHEUR/AGEN.1244320Download File
1.0.EXPORT INVOICE.pdf.exe.ef0000.0.unpack100%AviraHEUR/AGEN.1244320Download File
1.0.EXPORT INVOICE.pdf.exe.ef0000.1.unpack100%AviraHEUR/AGEN.1244320Download File
1.0.EXPORT INVOICE.pdf.exe.ef0000.4.unpack100%AviraHEUR/AGEN.1244320Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cndnl0%Avira URL Cloudsafe
http://en.wM0%Avira URL Cloudsafe
http://www.sakkal.comrmW0%Avira URL Cloudsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.fontbureau.coma0%URL Reputationsafe
http://www.fonts.comW0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.founder.com.cn/cnD0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fonts.comWT0%Avira URL Cloudsafe
http://www.typography.net0%URL Reputationsafe
http://www.fontbureau.comionm0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.fontbureau.como0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.typography.netr0%Avira URL Cloudsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.fonts.com;0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.comEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designersGEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.founder.com.cn/cndnlEXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers?EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://en.wMEXPORT INVOICE.pdf.exe, 00000001.00000003.370373493.000000000867D000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.sakkal.comrmWEXPORT INVOICE.pdf.exe, 00000001.00000003.379986920.000000000864D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.379854422.000000000864E000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.goodfont.co.krEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comaEXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fonts.comWEXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comlEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cnDEXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cn/EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.typography.netDEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/cabarga.htmlNEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/cTheEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.376953483.0000000008647000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.377031607.0000000008648000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-jones.htmlEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fonts.comWTEXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.typography.netEXPORT INVOICE.pdf.exe, 00000001.00000003.371908716.0000000008647000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comionmEXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comoEXPORT INVOICE.pdf.exe, 00000001.00000000.415970243.0000000008640000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleaseEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers8EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fonts.comEXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netrEXPORT INVOICE.pdf.exe, 00000001.00000003.373268434.0000000008648000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.373229768.0000000008647000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deDPleaseEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comEXPORT INVOICE.pdf.exe, 00000001.00000000.412177175.0000000009852000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.com;EXPORT INVOICE.pdf.exe, 00000001.00000003.371092907.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371043084.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371122582.000000000867D000.00000004.00000800.00020000.00000000.sdmp, EXPORT INVOICE.pdf.exe, 00000001.00000003.371160843.000000000867D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:625078
                      Start date and time: 12/05/202211:48:042022-05-12 11:48:04 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:EXPORT INVOICE.pdf.scr (renamed file extension from scr to exe)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:24
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal68.evad.winEXE@2/4@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 2.8% (good quality ratio 1.5%)
                      • Quality average: 33.8%
                      • Quality standard deviation: 38.3%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.20
                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:49:32API Interceptor1x Sleep call for process: EXPORT INVOICE.pdf.exe modified
                      11:49:44API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXPORT INVOICE.p_b5f6764852466b593dfad674787e99291849f4a4_5c0e5d72_148dd68c\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.1180961660191344
                      Encrypted:false
                      SSDEEP:192:8So+ZrokHBUZMXyaKeCikHKvi/u7s+S274ItV3N:NoGssBUZMXyaO/u7s+X4ItV3N
                      MD5:1F31080612E3F6C4532346FCD3D5C016
                      SHA1:E42CCD16F84BFF420021EB2BA9DDC537F737FEFC
                      SHA-256:0B7453D7AA239FECF7864F1B5810B4F239D115F609136131996FADE243151C30
                      SHA-512:A3F6052AD7416A4CEE823CE102D4B70A0CD2776752D9E80DA14F36AAF8403B64BB478A0DA196CF549EA84BD4604F858D75D6F0EEA2FAA9E48C6E64E2E74BF263
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.8.5.4.9.8.0.1.9.8.2.6.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.6.8.5.4.9.8.3.5.4.2.0.2.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.1.1.6.5.9.5.-.5.a.5.9.-.4.3.a.0.-.9.d.c.7.-.4.7.c.7.9.e.6.5.0.9.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.c.a.f.e.2.9.-.b.d.f.a.-.4.b.6.4.-.9.3.1.d.-.8.9.9.1.a.8.1.5.5.e.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.P.O.R.T. .I.N.V.O.I.C.E...p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.R.u.n.t.i.m.e.E.v.i.d.e.n.c.e.F.a.c.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.4.-.0.0.0.1.-.0.0.1.8.-.3.b.2.f.-.d.e.f.8.3.0.6.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.c.3.a.0.5.7.5.0.3.1.8.a.8.8.8.9.c.8.8.1.7.4.f.9.f.2.7.b.8.2.9.0.0.0.0.0.0.0.0.!.0.0.0.0.e.c.9.d.e.8.9.4.d.7.c.b.0.9.e.d.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3FE.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 12 18:49:40 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):259748
                      Entropy (8bit):4.124164669491366
                      Encrypted:false
                      SSDEEP:3072:nO1ljd+p2SN0o9gIOgF5xc0+TUCgUDHoPtk+Dl0dopIXuq2:O16pV0o9RpDqHTjrmtrR0dX
                      MD5:27132ED0DF055D722D2EC7D30A3BDDD1
                      SHA1:E1849483F307B97C1BE9B2A6DACAFDE31DDE71CD
                      SHA-256:BFC754BC356FF8C2723F75F675A88A0409EC663F30208D4C484859717C3A8C94
                      SHA-512:D89C84400ADEE3F24E833CE23C7A8DADA0D8242E0E40457AEE0C3979B604121CA73CD5F2D0E1240840EE5A24AB8D5D7EFEB03B224B603CB0A0D376A1313CCA83
                      Malicious:false
                      Reputation:low
                      Preview:MDMP....... ........V}b.....................................'...F..........T.......8...........T............1............... ..........."...................................................................U...........B......P#......GenuineIntelW...........T............V}b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA77.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8452
                      Entropy (8bit):3.7133404895699718
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiO56B6YfgSUpvy3MgmfZDYSoCpr989bP0sfOFm:RrlsNiY6B6YoSUpvycgmfNYSKPnfd
                      MD5:468747CA40B4B83F9FBB334CD4B3A34D
                      SHA1:E53798256597E7463D2E62655E6935F4EC4F12D0
                      SHA-256:B73923FC0A208D55F89E62E3FB86058EB8C90884C3EF86A17B13A59FBE0A833C
                      SHA-512:EF1C78E9AEE301304FF0E16F83D4055322D1E0855DBE0CB9FC4CD027039F5F251ED4B1B0D437E866D10FCABA644CF7300FDD384E11E6702EEABCEEAA2064977D
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.8.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA1.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4805
                      Entropy (8bit):4.563561801184721
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsTJgtWI9ILyWgc8sqYjw18fm8M4JgB8zL8Fd+q8vozLMPn0ulZpAdOIk:uITftr3grsqYMCJghKnXlrAQIOd
                      MD5:F4BFB7BF17BB4D09E417682C912EE9AC
                      SHA1:4DF54B023773CB7754A7D510F1A2A6E87A0C7B19
                      SHA-256:FBA7016993C3260F687045760192ED38E4B5997D982685365C70CD12B8779250
                      SHA-512:B4563B3E695B5CFDDFF7014ADB27861463172DFD0CA5E264C350065F04AC8AFCFA3562E0ACCA7429DFE3377F04C5F349AE1D52BBF7460E928D88E4932A21CFCE
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1512240" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.125237039189151
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:EXPORT INVOICE.pdf.exe
                      File size:808448
                      MD5:2cf09341b87d20404a6d824305ea5419
                      SHA1:ec9de894d7cb09ed3940db31dfc7a39cc1280acd
                      SHA256:2b21885c68cf8bcee3be7e08574372130a42c74a047b1f962cc5e270bb7b543e
                      SHA512:db8e247a8192ee53b96ee12a9b1e120e904b58b96f5ea3687d10bda3ea16d479bfe2da0db07b633b35bc03da9665d8ebe13a0e494a481bd88a76c30b79c2dbe9
                      SSDEEP:12288:cWRXIfWktOMzKcDOGjBTu2KSgaLfqGC7vh9KBYhLWWZ0u9zfLWt6l/4MKOC6ZEKA:ciXIfWcKwj9wSgajqh7J9K6hLPSu9O
                      TLSH:B905BE9872D0B5AECB07C93289545C25A9203C67439AD20B6CC736DFE9BD69ECE041F3
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{b..............0.................. ........@.. ....................................@................................

                      File Icon

                      Icon Hash:24e4c69696b2d4cc

                      Static PE Info

                      General

                      Entrypoint:0x4adaee
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x627BF1C4 [Wed May 11 17:26:28 2022 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:v4.0.30319
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xada9c0x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x19578.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xabaf40xabc00False0.839913402929data7.63374734815IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rsrc0xae0000x195780x19600False0.0630484144089data1.45882239786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xc80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0xae2200x468GLS_BINARY_LSB_FIRST
                      RT_ICON0xae6880x877PNG image data, 256 x 256, 8-bit colormap, non-interlaced
                      RT_ICON0xaef000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                      RT_ICON0xb14a80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                      RT_ICON0xb25500x10828dBase III DBT, version number 0, next free block index 40
                      RT_ICON0xc2d780x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                      RT_GROUP_ICON0xc6fa00x5adata
                      RT_VERSION0xc6ffc0x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                      RT_MANIFEST0xc73880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Version Infos

                      DescriptionData
                      Translation0x0000 0x04b0
                      LegalCopyrightCopyright 2020 Havy Alegria
                      Assembly Version1.0.0.0
                      InternalNameIRuntimeEvidenceFact.exe
                      FileVersion1.0.0.0
                      CompanyNameHavy Alegria
                      LegalTrademarks
                      Comments
                      ProductNameInnoExtractor
                      ProductVersion1.0.0.0
                      FileDescriptionInnoExtractor
                      OriginalFilenameIRuntimeEvidenceFact.exe

                      Network Behavior

                      No network behavior found

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:1
                      Start time:11:49:12
                      Start date:12/05/2022
                      Path:C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\EXPORT INVOICE.pdf.exe"
                      Imagebase:0xef0000
                      File size:808448 bytes
                      MD5 hash:2CF09341B87D20404A6D824305EA5419
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:low

                      General

                      Target ID:7
                      Start time:11:49:39
                      Start date:12/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 1280
                      Imagebase:0xe20000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high

                      Disassembly

                      No disassembly