Loading ...

Play interactive tourEdit tour

Analysis Report invoice.exe

Overview

General Information

Sample Name:invoice.exe
Analysis ID:321016
MD5:c11b21f5c4adcab958c7706cd38f5697
SHA1:9112cb83359d88fde19f16290020fe813ba46b46
SHA256:ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice.exe (PID: 5872 cmdline: 'C:\Users\user\Desktop\invoice.exe' MD5: C11B21F5C4ADCAB958C7706CD38F5697)
    • invoice.exe (PID: 4284 cmdline: C:\Users\user\Desktop\invoice.exe MD5: C11B21F5C4ADCAB958C7706CD38F5697)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6880 cmdline: /c del 'C:\Users\user\Desktop\invoice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.invoice.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.invoice.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.invoice.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        0.2.invoice.exe.29d0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.invoice.exe.29d0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: invoice.exeJoe Sandbox ML: detected
          Source: 0.2.invoice.exe.29d0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.invoice.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then pop ebx1_2_00407AD7
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then pop ebx1_2_00407A9C
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then pop edi1_2_00416CA6
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi6_2_02396CA6

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49764
          Source: global trafficHTTP traffic detected: GET /saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.laborexchanges.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx HTTP/1.1Host: www.rmcfoods.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.nigeriamoney.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
          Source: Joe Sandbox ViewASN Name: DIMENOCUS DIMENOCUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: C:\Windows\explorer.exeCode function: 4_2_06C017A2 getaddrinfo,setsockopt,recv,4_2_06C017A2
          Source: global trafficHTTP traffic detected: GET /saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.laborexchanges.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx HTTP/1.1Host: www.rmcfoods.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.nigeriamoney.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.montesida.com
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.666096636.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: control.exe, 00000006.00000002.925130650.0000000004E2F000.00000004.00000001.sdmpString found in binary or memory: https://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxN

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: invoice.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: invoice.exe
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041A050 NtClose,1_2_0041A050
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041A100 NtAllocateVirtualMemory,1_2_0041A100
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00419F20 NtCreateFile,1_2_00419F20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00419FD0 NtReadFile,1_2_00419FD0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041A0FA NtAllocateVirtualMemory,1_2_0041A0FA
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00419F1A NtCreateFile,1_2_00419F1A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00419FCB NtReadFile,1_2_00419FCB
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F198F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00F198F0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00F19860
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19840 NtDelayExecution,LdrInitializeThunk,1_2_00F19840
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F199A0 NtCreateSection,LdrInitializeThunk,1_2_00F199A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00F19910
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19A50 NtCreateFile,LdrInitializeThunk,1_2_00F19A50
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19A20 NtResumeThread,LdrInitializeThunk,1_2_00F19A20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00F19A00
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F195D0 NtClose,LdrInitializeThunk,1_2_00F195D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19540 NtReadFile,LdrInitializeThunk,1_2_00F19540
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F196E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00F196E0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00F19660
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F197A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00F197A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19780 NtMapViewOfSection,LdrInitializeThunk,1_2_00F19780
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19710 NtQueryInformationToken,LdrInitializeThunk,1_2_00F19710
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F198A0 NtWriteVirtualMemory,1_2_00F198A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F1B040 NtSuspendThread,1_2_00F1B040
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19820 NtEnumerateKey,1_2_00F19820
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F199D0 NtCreateProcessEx,1_2_00F199D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19950 NtQueueApcThread,1_2_00F19950
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19A80 NtOpenDirectoryObject,1_2_00F19A80
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19A10 NtQuerySection,1_2_00F19A10
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F1A3B0 NtGetContextThread,1_2_00F1A3B0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19B00 NtSetValueKey,1_2_00F19B00
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F195F0 NtQueryInformationFile,1_2_00F195F0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19560 NtWriteFile,1_2_00F19560
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F1AD30 NtSetContextThread,1_2_00F1AD30
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19520 NtWaitForSingleObject,1_2_00F19520
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F196D0 NtCreateKey,1_2_00F196D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19670 NtQueryInformationProcess,1_2_00F19670
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19650 NtQueryValueKey,1_2_00F19650
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19610 NtEnumerateValueKey,1_2_00F19610
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F19FE0 NtCreateMutant,1_2_00F19FE0
          Source: C:\Windows\explorer.exeCode function: 4_2_06C00A52 NtCreateFile,4_2_06C00A52
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479540 NtReadFile,LdrInitializeThunk,6_2_04479540
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044795D0 NtClose,LdrInitializeThunk,6_2_044795D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479650 NtQueryValueKey,LdrInitializeThunk,6_2_04479650
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04479660
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044796D0 NtCreateKey,LdrInitializeThunk,6_2_044796D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044796E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_044796E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479710 NtQueryInformationToken,LdrInitializeThunk,6_2_04479710
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479FE0 NtCreateMutant,LdrInitializeThunk,6_2_04479FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479780 NtMapViewOfSection,LdrInitializeThunk,6_2_04479780
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479840 NtDelayExecution,LdrInitializeThunk,6_2_04479840
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479860 NtQuerySystemInformation,LdrInitializeThunk,6_2_04479860
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04479910
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044799A0 NtCreateSection,LdrInitializeThunk,6_2_044799A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479A50 NtCreateFile,LdrInitializeThunk,6_2_04479A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479560 NtWriteFile,6_2_04479560
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479520 NtWaitForSingleObject,6_2_04479520
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0447AD30 NtSetContextThread,6_2_0447AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044795F0 NtQueryInformationFile,6_2_044795F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479670 NtQueryInformationProcess,6_2_04479670
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479610 NtEnumerateValueKey,6_2_04479610
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479760 NtOpenProcess,6_2_04479760
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0447A770 NtOpenThread,6_2_0447A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479770 NtSetInformationFile,6_2_04479770
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0447A710 NtOpenProcessToken,6_2_0447A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479730 NtQueryVirtualMemory,6_2_04479730
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044797A0 NtUnmapViewOfSection,6_2_044797A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0447B040 NtSuspendThread,6_2_0447B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479820 NtEnumerateKey,6_2_04479820
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044798F0 NtReadVirtualMemory,6_2_044798F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044798A0 NtWriteVirtualMemory,6_2_044798A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479950 NtQueueApcThread,6_2_04479950
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044799D0 NtCreateProcessEx,6_2_044799D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479A00 NtProtectVirtualMemory,6_2_04479A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479A10 NtQuerySection,6_2_04479A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479A20 NtResumeThread,6_2_04479A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479A80 NtOpenDirectoryObject,6_2_04479A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04479B00 NtSetValueKey,6_2_04479B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0447A3B0 NtGetContextThread,6_2_0447A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239A050 NtClose,6_2_0239A050
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239A100 NtAllocateVirtualMemory,6_2_0239A100
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02399F20 NtCreateFile,6_2_02399F20
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02399FD0 NtReadFile,6_2_02399FD0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239A0FA NtAllocateVirtualMemory,6_2_0239A0FA
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02399F1A NtCreateFile,6_2_02399F1A
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02399FCB NtReadFile,6_2_02399FCB
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0030E1CF0_2_0030E1CF
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003230AC0_2_003230AC
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003229040_2_00322904
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0032425D0_2_0032425D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0030AAC80_2_0030AAC8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0031A33E0_2_0031A33E
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00312B170_2_00312B17
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003133640_2_00313364
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003223920_2_00322392
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0030AD1B0_2_0030AD1B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003126230_2_00312623
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00321E200_2_00321E20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00314E9B0_2_00314E9B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00311F200_2_00311F20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00312F2F0_2_00312F2F
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003137990_2_00313799
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003230AC1_2_003230AC
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003229041_2_00322904
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0030E1CF1_2_0030E1CF
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0032425D1_2_0032425D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0030AAC81_2_0030AAC8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0031A33E1_2_0031A33E
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00312B171_2_00312B17
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003133641_2_00313364
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003223921_2_00322392
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0030AD1B1_2_0030AD1B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003126231_2_00312623
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00321E201_2_00321E20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00314E9B1_2_00314E9B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00311F201_2_00311F20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00312F2F1_2_00312F2F
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003137991_2_00313799
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041E8371_2_0041E837
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041E19A1_2_0041E19A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041DB181_2_0041DB18
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041E38D1_2_0041E38D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041DE201_2_0041DE20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA28EC1_2_00FA28EC
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A01_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA20A81_2_00FA20A8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EEB0901_2_00EEB090
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FAE8241_2_00FAE824
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F910021_2_00F91002
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EF41201_2_00EF4120
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDF9001_2_00EDF900
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA22AE1_2_00FA22AE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F903DA1_2_00F903DA
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F9DBD21_2_00F9DBD2
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0EBB01_2_00F0EBB0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA2B281_2_00FA2B28
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F9D4661_2_00F9D466
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EE841F1_2_00EE841F
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EED5E01_2_00EED5E0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA25DD1_2_00FA25DD
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F025811_2_00F02581
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA1D551_2_00FA1D55
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00ED0D201_2_00ED0D20
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA2D071_2_00FA2D07
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA2EF71_2_00FA2EF7
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EF6E301_2_00EF6E30
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F9D6161_2_00F9D616
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA1FF11_2_00FA1FF1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FADFCE1_2_00FADFCE
          Source: C:\Windows\explorer.exeCode function: 4_2_06C00A524_2_06C00A52
          Source: C:\Windows\explorer.exeCode function: 4_2_06BFF8824_2_06BFF882
          Source: C:\Windows\explorer.exeCode function: 4_2_06BF8CF24_2_06BF8CF2
          Source: C:\Windows\explorer.exeCode function: 4_2_06BF8CE94_2_06BF8CE9
          Source: C:\Windows\explorer.exeCode function: 4_2_06C03A0C4_2_06C03A0C
          Source: C:\Windows\explorer.exeCode function: 4_2_06BF70724_2_06BF7072
          Source: C:\Windows\explorer.exeCode function: 4_2_06BF70694_2_06BF7069
          Source: C:\Windows\explorer.exeCode function: 4_2_06BFBB224_2_06BFBB22
          Source: C:\Windows\explorer.exeCode function: 4_2_06BFBB1F4_2_06BFBB1F
          Source: C:\Windows\explorer.exeCode function: 4_2_06BFE1524_2_06BFE152
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044FD4666_2_044FD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0444841F6_2_0444841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04501D556_2_04501D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04502D076_2_04502D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04430D206_2_04430D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_045025DD6_2_045025DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0444D5E06_2_0444D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044625816_2_04462581
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044FD6166_2_044FD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04456E306_2_04456E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04502EF76_2_04502EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0450DFCE6_2_0450DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04501FF16_2_04501FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044F10026_2_044F1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0450E8246_2_0450E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_045028EC6_2_045028EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0444B0906_2_0444B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044620A06_2_044620A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_045020A86_2_045020A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0443F9006_2_0443F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044541206_2_04454120
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_045022AE6_2_045022AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04502B286_2_04502B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044F03DA6_2_044F03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_044FDBD26_2_044FDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0446EBB06_2_0446EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239E38D6_2_0239E38D
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239E8376_2_0239E837
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239E19A6_2_0239E19A
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02389E306_2_02389E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02382FB06_2_02382FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02382D906_2_02382D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02382D876_2_02382D87
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0443B150 appears 45 times
          Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00310BAA appears 42 times
          Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00307570 appears 126 times
          Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00316090 appears 80 times
          Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00EDB150 appears 45 times
          Source: invoice.exe, 00000000.00000003.657254130.0000000002D3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
          Source: invoice.exe, 00000001.00000002.694907659.0000000000C1A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs invoice.exe
          Source: invoice.exe, 00000001.00000002.695325238.000000000115F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
          Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@4/3
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
          Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Users\user\Desktop\invoice.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe 'C:\Users\user\Desktop\invoice.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'Jump to behavior
          Source: invoice.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.934975474.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000000.00000003.660665803.0000000002A90000.00000004.00000001.sdmp, invoice.exe, 00000001.00000002.695023549.0000000000EB0000.00000040.00000001.sdmp, control.exe, 00000006.00000002.924534412.000000000452F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: invoice.exe, 00000001.00000002.694907659.0000000000C1A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: invoice.exe, control.exe
          Source: Binary string: control.pdbUGP source: invoice.exe, 00000001.00000002.694907659.0000000000C1A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.934975474.0000000005A00000.00000002.00000001.sdmp
          Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003160D5 push ecx; ret 0_2_003160E8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0032F311 push eax; ret 0_2_0032F341
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0032F390 push eax; ret 0_2_0032F341
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0030F55D push ecx; ret 0_2_0030F570
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_003160D5 push ecx; ret 1_2_003160E8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0030F55D push ecx; ret 1_2_0030F570
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00416855 push ebx; retf 1_2_00416858
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041D075 push eax; ret 1_2_0041D0C8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041D0C2 push eax; ret 1_2_0041D0C8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041D0CB push eax; ret 1_2_0041D132
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041D12C push eax; ret 1_2_0041D132
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00416B05 push edx; ret 1_2_00416B08
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_004163B0 push esi; iretd 1_2_0041640A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0041E5D3 push es; ret 1_2_0041E5E8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F2D0D1 push ecx; ret 1_2_00F2D0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0448D0D1 push ecx; ret 6_2_0448D0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02396B05 push edx; ret 6_2_02396B08
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_023963B0 push esi; iretd 6_2_0239640A
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239D075 push eax; ret 6_2_0239D0C8
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_02396855 push ebx; retf 6_2_02396858
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239E0AA push esp; retf 0000h6_2_0239E0B5
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239D0CB push eax; ret 6_2_0239D132
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239D0C2 push eax; ret 6_2_0239D0C8
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239D12C push eax; ret 6_2_0239D132
          Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_0239E5D3 push es; ret 6_2_0239E5E8

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE9
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0030E1CF RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0030E1CF
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\invoice.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000023898E4 second address: 00000000023898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002389B4E second address: 0000000002389B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Windows\explorer.exe TID: 3484Thread sleep count: 40 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 3484Thread sleep time: -80000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 6540Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.678740166.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.935455932.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.678740166.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.673260391.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.678863688.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000002.932678004.0000000004791000.00000004.00000001.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
          Source: explorer.exe, 00000004.00000000.679085865.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\invoice.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_0040ACC0 LdrLoadDll,1_2_0040ACC0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0031EBDE EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0031EBDE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0031EBDE EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0031EBDE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003311EC mov eax, dword ptr fs:[00000030h]0_2_003311EC
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00331229 mov eax, dword ptr fs:[00000030h]0_2_00331229
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0033128C mov eax, dword ptr fs:[00000030h]0_2_0033128C
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_003306F8 mov eax, dword ptr fs:[00000030h]0_2_003306F8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00ED58EC mov eax, dword ptr fs:[00000030h]1_2_00ED58EC
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00ED40E1 mov eax, dword ptr fs:[00000030h]1_2_00ED40E1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00ED40E1 mov eax, dword ptr fs:[00000030h]1_2_00ED40E1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00ED40E1 mov eax, dword ptr fs:[00000030h]1_2_00ED40E1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F6B8D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F6B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00F6B8D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F6B8D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F6B8D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F6B8D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F6B8D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0F0BF mov ecx, dword ptr fs:[00000030h]1_2_00F0F0BF
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0F0BF mov eax, dword ptr fs:[00000030h]1_2_00F0F0BF
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0F0BF mov eax, dword ptr fs:[00000030h]1_2_00F0F0BF
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]1_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]1_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]1_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]1_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]1_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]1_2_00F020A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F190AF mov eax, dword ptr fs:[00000030h]1_2_00F190AF
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00ED9080 mov eax, dword ptr fs:[00000030h]1_2_00ED9080
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F53884 mov eax, dword ptr fs:[00000030h]1_2_00F53884
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F53884 mov eax, dword ptr fs:[00000030h]1_2_00F53884
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F92073 mov eax, dword ptr fs:[00000030h]1_2_00F92073
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA1074 mov eax, dword ptr fs:[00000030h]1_2_00FA1074
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EF0050 mov eax, dword ptr fs:[00000030h]1_2_00EF0050
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EF0050 mov eax, dword ptr fs:[00000030h]1_2_00EF0050
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]1_2_00EEB02A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]1_2_00EEB02A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]1_2_00EEB02A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]1_2_00EEB02A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]1_2_00F0002D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]1_2_00F0002D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]1_2_00F0002D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]1_2_00F0002D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]1_2_00F0002D
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F57016 mov eax, dword ptr fs:[00000030h]1_2_00F57016
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F57016 mov eax, dword ptr fs:[00000030h]1_2_00F57016
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F57016 mov eax, dword ptr fs:[00000030h]1_2_00F57016
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA4015 mov eax, dword ptr fs:[00000030h]1_2_00FA4015
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00FA4015 mov eax, dword ptr fs:[00000030h]1_2_00FA4015
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDB1E1 mov eax, dword ptr fs:[00000030h]1_2_00EDB1E1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDB1E1 mov eax, dword ptr fs:[00000030h]1_2_00EDB1E1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDB1E1 mov eax, dword ptr fs:[00000030h]1_2_00EDB1E1
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F641E8 mov eax, dword ptr fs:[00000030h]1_2_00F641E8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]1_2_00F551BE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]1_2_00F551BE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]1_2_00F551BE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]1_2_00F551BE
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F061A0 mov eax, dword ptr fs:[00000030h]1_2_00F061A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F061A0 mov eax, dword ptr fs:[00000030h]1_2_00F061A0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F569A6 mov eax, dword ptr fs:[00000030h]1_2_00F569A6
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]1_2_00F949A4
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]1_2_00F949A4
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]1_2_00F949A4
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]1_2_00F949A4
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F02990 mov eax, dword ptr fs:[00000030h]1_2_00F02990
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EFC182 mov eax, dword ptr fs:[00000030h]1_2_00EFC182
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0A185 mov eax, dword ptr fs:[00000030h]1_2_00F0A185
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDC962 mov eax, dword ptr fs:[00000030h]1_2_00EDC962
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDB171 mov eax, dword ptr fs:[00000030h]1_2_00EDB171
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EDB171 mov eax, dword ptr fs:[00000030h]1_2_00EDB171
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EFB944 mov eax, dword ptr fs:[00000030h]1_2_00EFB944
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EFB944 mov eax, dword ptr fs:[00000030h]1_2_00EFB944
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0513A mov eax, dword ptr fs:[00000030h]1_2_00F0513A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00F0513A mov eax, dword ptr fs:[00000030h]1_2_00F0513A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EF4120 mov eax, dword ptr fs:[00000030h]1_2_00EF4120
          Source: C:\Users\user\Desktop\invoice.exeCode function: 1_2_00EF4120 mov eax, dword ptr fs:[00000030h]1_2_00EF4120
          Source: C:\Users\user\Desktop\invoice.exe