Play interactive tour

Edit tour

Analysis Report invoice.exe

Overview

General Information

Sample Name:	invoice.exe
Analysis ID:	321016
MD5:	c11b21f5c4adcab958c7706cd38f5697
SHA1:	9112cb83359d88fde19f16290020fe813ba46b46
SHA256:	ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

invoice.exe (PID: 5872 cmdline: 'C:\Users\user\Desktop\invoice.exe' MD5: C11B21F5C4ADCAB958C7706CD38F5697)

invoice.exe (PID: 4284 cmdline: C:\Users\user\Desktop\invoice.exe MD5: C11B21F5C4ADCAB958C7706CD38F5697)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 6880 cmdline: /c del 'C:\Users\user\Desktop\invoice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.invoice.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.invoice.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.invoice.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0.2.invoice.exe.29d0000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.invoice.exe.29d0000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.invoice.exe.29d0000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.invoice.exe.29d0000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.invoice.exe.29d0000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.invoice.exe.29d0000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.2.invoice.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.invoice.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.invoice.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: invoice.exe

Joe Sandbox ML: detected

Source: 0.2.invoice.exe.29d0000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.invoice.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\invoice.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\invoice.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\invoice.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49764

Source: global traffic	HTTP traffic detected: GET /saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.laborexchanges.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx HTTP/1.1Host: www.rmcfoods.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.nigeriamoney.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: A2HOSTINGUS A2HOSTINGUS
Source: Joe Sandbox View	ASN Name: DIMENOCUS DIMENOCUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: C:\Windows\explorer.exe

Code function: 4_2_06C017A2 getaddrinfo,setsockopt,recv,

Source: global traffic	HTTP traffic detected: GET /saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.laborexchanges.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx HTTP/1.1Host: www.rmcfoods.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1Host: www.nigeriamoney.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.montesida.com

Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.666096636.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: control.exe, 00000006.00000002.925130650.0000000004E2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxN

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: invoice.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: invoice.exe

Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041A050 NtClose,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041A100 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00419F20 NtCreateFile,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00419FD0 NtReadFile,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041A0FA NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00419F1A NtCreateFile,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00419FCB NtReadFile,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F198F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F199A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F195D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F196E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F197A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F198A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F1B040 NtSuspendThread,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19820 NtEnumerateKey,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F199D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19950 NtQueueApcThread,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19A10 NtQuerySection,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F1A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19B00 NtSetValueKey,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F195F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19560 NtWriteFile,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F1AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F196D0 NtCreateKey,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19650 NtQueryValueKey,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F19FE0 NtCreateMutant,
Source: C:\Windows\explorer.exe	Code function: 4_2_06C00A52 NtCreateFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044795D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044796D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479560 NtWriteFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0447AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044795F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479760 NtOpenProcess,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0447A770 NtOpenThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0447A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044797A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0447B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044798F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044798A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044799D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479A10 NtQuerySection,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479A20 NtResumeThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04479B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0447A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239A050 NtClose,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239A100 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02399F20 NtCreateFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02399FD0 NtReadFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239A0FA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02399F1A NtCreateFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02399FCB NtReadFile,

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0030E1CF
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_003230AC
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00322904
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0032425D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0030AAC8
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0031A33E
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00312B17
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00313364
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00322392
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0030AD1B
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00312623
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00321E20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00314E9B
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00311F20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00312F2F
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00313799
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_003230AC
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00322904
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0030E1CF
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0032425D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0030AAC8
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0031A33E
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00312B17
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00313364
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00322392
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0030AD1B
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00312623
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00321E20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00314E9B
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00311F20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00312F2F
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00313799
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041E837
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041E19A
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041DB18
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041E38D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00402D87
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041DE20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00409E30
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA28EC
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA20A8
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEB090
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FAE824
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91002
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF4120
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDF900
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA22AE
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F903DA
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9DBD2
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0EBB0
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA2B28
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9D466
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE841F
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EED5E0
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA25DD
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02581
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA1D55
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED0D20
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA2D07
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA2EF7
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF6E30
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9D616
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA1FF1
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FADFCE
Source: C:\Windows\explorer.exe	Code function: 4_2_06C00A52
Source: C:\Windows\explorer.exe	Code function: 4_2_06BFF882
Source: C:\Windows\explorer.exe	Code function: 4_2_06BF8CF2
Source: C:\Windows\explorer.exe	Code function: 4_2_06BF8CE9
Source: C:\Windows\explorer.exe	Code function: 4_2_06C03A0C
Source: C:\Windows\explorer.exe	Code function: 4_2_06BF7072
Source: C:\Windows\explorer.exe	Code function: 4_2_06BF7069
Source: C:\Windows\explorer.exe	Code function: 4_2_06BFBB22
Source: C:\Windows\explorer.exe	Code function: 4_2_06BFBB1F
Source: C:\Windows\explorer.exe	Code function: 4_2_06BFE152
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FD466
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04501D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04502D07
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04430D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_045025DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04462581
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FD616
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04456E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04502EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450DFCE
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04501FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1002
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450E824
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_045028EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_045020A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04454120
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_045022AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04502B28
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F03DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FDBD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239E38D
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239E837
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239E19A
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02389E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02382FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02382D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02382D87

Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0443B150 appears 45 times
Source: C:\Users\user\Desktop\invoice.exe	Code function: String function: 00310BAA appears 42 times
Source: C:\Users\user\Desktop\invoice.exe	Code function: String function: 00307570 appears 126 times
Source: C:\Users\user\Desktop\invoice.exe	Code function: String function: 00316090 appears 80 times
Source: C:\Users\user\Desktop\invoice.exe	Code function: String function: 00EDB150 appears 45 times

Source: invoice.exe, 00000000.00000003.657254130.0000000002D3F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
Source: invoice.exe, 00000001.00000002.694907659.0000000000C1A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs invoice.exe
Source: invoice.exe, 00000001.00000002.695325238.000000000115F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe

Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/0@4/3

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01

Source: invoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\user\Desktop\invoice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\invoice.exe 'C:\Users\user\Desktop\invoice.exe'
Source: unknown	Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
Source: unknown	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'

Source: invoice.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.934975474.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: invoice.exe, 00000000.00000003.660665803.0000000002A90000.00000004.00000001.sdmp, invoice.exe, 00000001.00000002.695023549.0000000000EB0000.00000040.00000001.sdmp, control.exe, 00000006.00000002.924534412.000000000452F000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: invoice.exe, 00000001.00000002.694907659.0000000000C1A000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: invoice.exe, control.exe
Source:	Binary string: control.pdbUGP source: invoice.exe, 00000001.00000002.694907659.0000000000C1A000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.934975474.0000000005A00000.00000002.00000001.sdmp

Source: invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: invoice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_003160D5 push ecx; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0032F311 push eax; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0032F390 push eax; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0030F55D push ecx; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_003160D5 push ecx; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0030F55D push ecx; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00416855 push ebx; retf
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041D075 push eax; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041D0C2 push eax; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041D0CB push eax; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041D12C push eax; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00416B05 push edx; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_004163B0 push esi; iretd
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0041E5D3 push es; ret
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F2D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0448D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02396B05 push edx; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_023963B0 push esi; iretd
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239D075 push eax; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_02396855 push ebx; retf
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239E0AA push esp; retf 0000h
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239D0CB push eax; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239D0C2 push eax; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239D12C push eax; ret
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0239E5D3 push es; ret

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE9

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_0030E1CF RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\control.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\invoice.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\invoice.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000023898E4 second address: 00000000023898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002389B4E second address: 0000000002389B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_00409A80 rdtsc

Source: C:\Windows\explorer.exe TID: 3484	Thread sleep count: 40 > 30
Source: C:\Windows\explorer.exe TID: 3484	Thread sleep time: -80000s >= -30000s
Source: C:\Windows\SysWOW64\control.exe TID: 6540	Thread sleep time: -44000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.678740166.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.935455932.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.678740166.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.673260391.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.678863688.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000002.932678004.0000000004791000.00000004.00000001.sdmp	Binary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
Source: explorer.exe, 00000004.00000000.679085865.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.675249381.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\invoice.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\invoice.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_0040ACC0 LdrLoadDll,

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_0031EBDE EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\invoice.exe

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_003311EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00331229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0033128C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_003306F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F190AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F53884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F53884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F92073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F641E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F569A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EEAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F1927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F8B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F8B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F64257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F14A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F14A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F553CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F553CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F04BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F04BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F04BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F8D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F03B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F03B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F914FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F88DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EED5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EED5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F01DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F01DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F01DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F035A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F13D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F53540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F83D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EF7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F5A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F04D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F04D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F04D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F016E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F18EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F8FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F036CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F546A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00FA0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F6FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F9AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F8FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F0A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F08E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F91608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F137F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F57794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F57794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00F57794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00EE8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04508CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04473D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044E3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04457D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04508D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04443D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04464D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04464D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04464D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04462581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04462581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04462581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04462581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04432D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04432D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04432D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04432D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04432D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04461DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04461DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04461DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_045005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_045005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04447E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04447E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04447E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04447E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04447E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04447E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04468E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04478EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04508ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04500EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04500EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04500EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04508F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0450070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04434F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04434F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04448794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04450050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04450050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04501074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04504015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04504015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0444B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04454120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04454120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04454120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04454120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04454120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0446A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0445C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04462990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04439240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044C4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04508A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0447927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04448A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04435210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04435210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04435210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04435210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_0443AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04453A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_044FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 6_2_04474A2C mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_00315367 GetProcessHeap,

Source: C:\Users\user\Desktop\invoice.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00312537 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00312506 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00312537 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00312506 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 109.73.164.114 80
Source: C:\Windows\explorer.exe	Network Connect: 68.66.248.44 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\invoice.exe	Section loaded: unknown target: C:\Users\user\Desktop\invoice.exe protection: execute and read and write
Source: C:\Users\user\Desktop\invoice.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\invoice.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
Source: C:\Users\user\Desktop\invoice.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\invoice.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\invoice.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\invoice.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: B0000

Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'

Source: explorer.exe, 00000004.00000000.665199204.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000002.924109355.0000000001080000.00000002.00000001.sdmp, control.exe, 00000006.00000002.924221104.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.935436486.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000006.00000002.924221104.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.924109355.0000000001080000.00000002.00000001.sdmp, control.exe, 00000006.00000002.924221104.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.924109355.0000000001080000.00000002.00000001.sdmp, control.exe, 00000006.00000002.924221104.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.678863688.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_00314831 cpuid

Source: C:\Users\user\Desktop\invoice.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\invoice.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\invoice.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\invoice.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\invoice.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
Source: C:\Users\user\Desktop\invoice.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LcidFromHexString,GetLocaleInfoW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\invoice.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\invoice.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\invoice.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\invoice.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\invoice.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Users\user\Desktop\invoice.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\invoice.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
Source: C:\Users\user\Desktop\invoice.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LcidFromHexString,GetLocaleInfoW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\invoice.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
Source: C:\Users\user\Desktop\invoice.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Users\user\Desktop\invoice.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Users\user\Desktop\invoice.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_00317A48 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.invoice.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.invoice.exe.29d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.invoice.exe.400000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Application Shimming1	Process Injection512	Rootkit1	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery151	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery122	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invoice.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.invoice.exe.29d0000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.invoice.exe.2970000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.invoice.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
rmcfoods.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.laborexchanges.com/saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.nigeriamoney.life/saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxN	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
laborexchanges.com	34.102.136.180	true	true		unknown
rmcfoods.com	109.73.164.114	true	true	0%, Virustotal, Browse	unknown
nigeriamoney.life	68.66.248.44	true	true		unknown
www.nigeriamoney.life	unknown	unknown	true		unknown
www.rmcfoods.com	unknown	unknown	true		unknown
www.montesida.com	unknown	unknown	true		unknown
www.laborexchanges.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx	true	Avira URL Cloud: safe	unknown
http://www.laborexchanges.com/saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0	true	Avira URL Cloud: safe	unknown
http://www.nigeriamoney.life/saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000004.00000000.666096636.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxN	control.exe, 00000006.00000002.925130650.0000000004E2F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	explorer.exe, 00000004.00000000.680205230.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
68.66.248.44	unknown	United States	55293	A2HOSTINGUS	true
109.73.164.114	unknown	United Kingdom	33182	DIMENOCUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321016
Start date:	20.11.2020
Start time:	09:13:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	invoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/0@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.9% (good quality ratio 17.4%) Quality average: 76.4% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.193.48, 51.104.144.132, 52.155.217.156, 20.54.26.129, 95.101.22.134, 95.101.22.125 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.102.136.180	TR-D45.pdf.exe	Get hash	malicious	Browse	www.gcvinternational.com/gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi
	86dXpRWnFG.exe	Get hash	malicious	Browse	www.powderedsilk.com/ogg/?FdtP=yL0l42d8z4u&JfspOLvH=fOCM8bU6nldV/iwSncfaF5Bzy/lGPGgo/g5DGIZRlu3EMk3UROnm6TGL4YPAlMSLjacD
	LIST OF PRODUCTS NEEDED.exe	Get hash	malicious	Browse	www.present-motherhood.com/pna/?oXN=7nbLudZHS&wP9=pAJh36KDGKuozQ+wlnL4iaUZacIoIbb12I26NWSsGNXaprJ2jX+VR1VHCYeoOV3CYcpo
	Order specs19.11.20.exe	Get hash	malicious	Browse	www.overstockalpine.com/nwrr/?cj=Nc1MB4yErYgRagn/HzK3hScSsYEBegMtx+kEQv9TefYD7E7OGiE02SCDOI6eM3Hv09tUJ3eV9Q==&Rxo=L6hH4NIhfjzT
	Okwt8fW5KH.exe	Get hash	malicious	Browse	www.mybriefbox.com/sdk/?AP=KzrxE&kzut2Pv=ieC5SQ4WTCMGwLwKeHkkTkUTO60lnbNinIRTqFa5Tgq0ajZ12E69OSpNqOiQRcX/surf
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	www.onlineshoppingisbest.com/igqu/?YnztXrjp=cAw+48JGWTFWiF+zD75YoKcSRGv0/cbX2CyjAL3BYh15xmcIYagPiXPUr4/0BC838prH&sBZxwb=FxlXFP2PHdiD2
	Payment Advice - Advice Ref GLV823990339.exe	Get hash	malicious	Browse	www.brilliance-automation.com/gyo3/?Ez=XAbIWkmCD7FprhBGM/1VWQtkWKjPoo+hixDnJGBEsGUo9CkrVpkcDmC1vi0ujf808Qfd1id09g==&lhud=TjfdU2S
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	www.rockinglifefromhome.com/igqu/?afo=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORGuicEzVgEw0Hp6jQ==&DHU4SX=gbT8543hIhm
	MV.KMTC JEBEL ALI_pdf.exe	Get hash	malicious	Browse	www.mereziboutique.com/y9z/?uFQl=hX/JgwGUf2blPgyiHp8pkr0UcN4JhiEs10p3+69z9DK69Gln3SJoRK9DZHZ4ze7gp3+f&CTvp=fv10_lYhrxJtW6
	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	www.homewellliving.com/nt8e/?7nwltvxh=y2sdQ9Xb5ECC4UyPumlTTMs33wxYtaLvB/dO1hyuc+aLkGir7cEA1isigJn19hEFQwDS&org=3foxnfCXOnIhKD
	23692 ANRITSU PROBE po 29288.exe	Get hash	malicious	Browse	www.funeralfermentarium.com/9d1o/?lvH8U=Wears+I1XvB+Lmut0rGzY9wAFTAHH41k5OVIheQSGxmq0oO+QWZXKPOXziEsAnWJSQrEFn+Exw==&E6A=8pDxC4
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	www.guillermoastiazaran.com/sppe/?DnadT=x+bcW4Gq4Sa+8Fw3ruRe02HfSBDGbo9y1yLk6wxIyT1lxw5Q+sxUrgb1tDfRR28VG68C&DxlLi=2dmX
	KYC_DOC_.EXE	Get hash	malicious	Browse	www.packorganically.com/bw82/?CXrL=77CCBBr2/49gWL5yauZnKqdCED7z+VtJXat/kGRZ6Qnjpe6WQ1Ax9xdsmUB8H+4disGx&llvxw=fTAlUHeHDVNhYV
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	www.bullwingsgt.com/sppe/?00D=NB3Dd/vOM6aQ3m0lcddBYOe/MXAC8Z/KQ2ZGmCsq6hDofgl0Po6pPua8TNWmH6LR2TRn&w48H=qBZ83x7XYlyP0lo0
	ant.exe	Get hash	malicious	Browse	www.spidermenroofsupport.com/94sb/?8pMt5xHX=C9biJKOafB1QzsexO7xJmKpRIYJMQj6VpKItH4wgGF+KF++s1hKyu2EaSVFJqiHWuFvG&GzrT=Wb1LdRq8x
	PROOF OF PAYMENT.exe	Get hash	malicious	Browse	www.prideaffiliate.com/mua8/?w48t=0pY022IXUBwLfpfP&nflpdH=Vm4JrPClk0aQj+jhcdONVb3zc5GtcUOmsZyrOc+k5NW+jXUcqcFsSwfT9cazrXQd7qcZ
	DEBIT NOTE DB-1130.exe	Get hash	malicious	Browse	www.knotgardenlifestylings.com/ihm3/?sBZ4lrK=PS39z8PEw7TzfNOCiLKd1OXoS8/GfzxzB5O+ulo0NmPTjwXimFWvt/sJkvH86VVEya1bUCOS1g==&FPcT7b=djCDfFRXOP7H
	POSH XANADU Order-SP-20-V241e.xlsx	Get hash	malicious	Browse	www.desk-freely.com/dtn/?lb=tWjSWtdhKEbcvZcDY2Isxp7DhwPqmKrgqV2LL8a+7y46vKpMTXTGiWVbDe2Qat9zzYwG/g==&8ptdvJ=KT0pXTAPFjE0
	PI 11172020.xlsx	Get hash	malicious	Browse	www.yourpassionpurposepower.com/egem/?Ob20Lf_=T+Py0QdJSh8uop0xQluPGRTKd40I+j4T0iQ6z9ArmxF3ClsH1rswXmlXU/F87B5u4zxcgw==&BB6=L48xY
	SHIPMENT DOCUMENT.xlsx	Get hash	malicious	Browse	www.jesussavethelost.com/tlu/?ebc8=E2JdjN_822M&Kpjp=WL9elnUNGmLALDc/aT9Yvopy5IOc6bZx+8KB1+n4COxRyIg81J8N2lucSrbi65xgujJdpg==

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	TR-D45.pdf.exe	Get hash	malicious	Browse	34.102.136.180
	knitted yarn documents.exe	Get hash	malicious	Browse	172.253.120.109
	86dXpRWnFG.exe	Get hash	malicious	Browse	34.102.136.180
	https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.php	Get hash	malicious	Browse	172.217.16.130
	b0408bca49c87f9e54bce76565bc6518.exe	Get hash	malicious	Browse	74.125.34.46
	b2e3bd67d738988ca1bbed8d8b3e73fc.exe	Get hash	malicious	Browse	74.125.34.46
	ad14f913dc65be569277c8c76de608a4.exe	Get hash	malicious	Browse	74.125.34.46
	b2352353279664cc442f346015e86317.exe	Get hash	malicious	Browse	74.125.34.46
	ab1671011f681ff09ac0ffd70fc4b92b.exe	Get hash	malicious	Browse	74.125.34.46
	BetterPoints_v4.60.1_apkpure.com.apk	Get hash	malicious	Browse	216.58.212.163
	b0e7416dbf03a7359e909c5bd68ae6e1.exe	Get hash	malicious	Browse	74.125.34.46
	afaa3d5f10a2ea3c2813b3dd1dac8388.exe	Get hash	malicious	Browse	74.125.34.46
	afbce292dbb11bda3b89b5ff8270bd20.exe	Get hash	malicious	Browse	74.125.34.46
	aea80fb9d13561d7628b9d2f80a36ad0.exe	Get hash	malicious	Browse	74.125.34.46
	af8eb3450867384ca855f2f0d0d6ae94.exe	Get hash	malicious	Browse	74.125.34.46
	ae80b9b86323a612ce7a9c99f5cb65b4.exe	Get hash	malicious	Browse	74.125.34.46
	ae85c1f45fb26bf61dc41c2a93d29b76.exe	Get hash	malicious	Browse	74.125.34.46
	adf21651776b58545870cdcb1b2d955b.exe	Get hash	malicious	Browse	74.125.34.46
	b2592f2f7a2eb53687b3a26249513d6e.exe	Get hash	malicious	Browse	74.125.34.46
	ad167b5f4bd63100aeb68d12a0d87fae.exe	Get hash	malicious	Browse	74.125.34.46
A2HOSTINGUS	Inquiry-20201118105427.exe	Get hash	malicious	Browse	85.187.154.178
	EMMYDON.exe	Get hash	malicious	Browse	85.187.154.178
	OUTSTANDING INVOICE_pdf.exe	Get hash	malicious	Browse	85.187.154.178
	uM0FDMSqE2.exe	Get hash	malicious	Browse	70.32.23.14
	VeiRTphBRH.exe	Get hash	malicious	Browse	85.187.154.178
	qkN4OZWFG6.exe	Get hash	malicious	Browse	68.66.216.20
	https://pixelksa.com/po/NewfilServices/index.php	Get hash	malicious	Browse	67.209.116.21
	https://www.desimealz.com/wp-content/plugins/xnbwwmx/Payment_Report_EFT_FX_FT%202020-13-11.jar	Get hash	malicious	Browse	85.187.137.156
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	68.66.216.20
	DHL RECEIPT_pdf.exe	Get hash	malicious	Browse	85.187.154.178
	RFQ-1324455663 API 5L X 60.exe	Get hash	malicious	Browse	85.187.154.178
	DHL INVOICE_pdf.exe	Get hash	malicious	Browse	85.187.154.178
	sxs73zrn8P.exe	Get hash	malicious	Browse	85.187.154.178
	Zahlung-06.11.20.exe	Get hash	malicious	Browse	68.66.224.27
	doc_7252.xls	Get hash	malicious	Browse	70.32.23.58
	inv-2635.xls	Get hash	malicious	Browse	70.32.23.58
	invoice8984.xls	Get hash	malicious	Browse	70.32.23.58
	invoice8984.xls	Get hash	malicious	Browse	70.32.23.58
	Y9ZpOm6Fvf.xls	Get hash	malicious	Browse	70.32.23.58
	Y9ZpOm6Fvf.xls	Get hash	malicious	Browse	70.32.23.58
DIMENOCUS	ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).js	Get hash	malicious	Browse	67.23.238.50
	ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).js	Get hash	malicious	Browse	67.23.238.50
	Richiesta Urgente.pdf.exe	Get hash	malicious	Browse	64.37.52.42
	VRVA8aGgQc.exe	Get hash	malicious	Browse	138.128.167.210
	af6y2Oe5lX.exe	Get hash	malicious	Browse	138.128.171.170
	https://encrypt.puzzledpuppy.com/	Get hash	malicious	Browse	67.23.254.10
	iSrBUSEJzI.exe	Get hash	malicious	Browse	67.23.242.109
	VncDfMvr.exe	Get hash	malicious	Browse	138.121.203.205
	doc_pack-1177677900.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1176294411.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1176283396.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1150040064.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-116797112.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1152979951.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1172943982.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1168834311.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1175649875.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1161987695.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1141425075.xls	Get hash	malicious	Browse	198.49.68.125
	doc_pack-1155391818.xls	Get hash	malicious	Browse	198.49.68.125

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5085570432359425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	invoice.exe
File size:	392704
MD5:	c11b21f5c4adcab958c7706cd38f5697
SHA1:	9112cb83359d88fde19f16290020fe813ba46b46
SHA256:	ca31bf22e81cd78167c74ed368d9e6ffd06a189dacf22e4b007bcb452f5636d4
SHA512:	068e2ad21e19246796a81255e2deefe90c2abb817b1a0a3e00a5d0ca5a8817250993ddea82b3e66a65e4dc048fd17c0fb1528e1bff463e886c2f8953094982d1
SSDEEP:	6144:/ZzdCjALkRnJtNyToqsnq80C56Q+uKY911qvkBBPMPAvgDfsH5YwVFIovJgu+D0/:/ZzdCcknyToq20C5vKE11qvaBPTqsHfL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hc..............X.......X.......X..J...P................[.......[...............[......Rich............PE..L...0Z._...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40e57c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB75A30 [Fri Nov 20 05:54:56 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c35b119ed93d2da3d4093a6e2ea9517c

Entrypoint Preview

Instruction
call 00007FC524B0CFFCh
jmp 00007FC524B039B4h
call 00007FC524B0B42Bh
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0042EA34h]
je 00007FC524B03B42h
mov ecx, dword ptr [0042EAF0h]
test dword ptr [edx+70h], ecx
jne 00007FC524B03B37h
call 00007FC524B0B20Eh
mov eax, dword ptr [eax+04h]
ret
call 00007FC524B0B405h
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0042EA34h]
je 00007FC524B03B42h
mov ecx, dword ptr [0042EAF0h]
test dword ptr [edx+70h], ecx
jne 00007FC524B03B37h
call 00007FC524B0B1E8h
add eax, 000000A0h
ret
call 00007FC524B0B3DDh
mov edx, eax
mov eax, dword ptr [edx+6Ch]
cmp eax, dword ptr [0042EA34h]
je 00007FC524B03B42h
mov ecx, dword ptr [0042EAF0h]
test dword ptr [edx+70h], ecx
jne 00007FC524B03B37h
call 00007FC524B0B1C0h
mov eax, dword ptr [eax+74h]
ret
push ebp
mov ebp, esp
sub esp, 44h
mov eax, dword ptr [0042E748h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
push esi
mov esi, dword ptr [ebp+08h]
xor ebx, ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-24h], ebx
mov eax, dword ptr [esi+000000A8h]
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-44h], esi
mov dword ptr [ebp-40h], ebx
test eax, eax
je 00007FC524B03E40h
push edi
lea edi, dword ptr [esi+04h]
cmp dword ptr [edi], ebx
jne 00007FC524B03B4Eh
push edi
push 00001004h
push eax

Rich Headers

Programming Language:

[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d37c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0x1db4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2bc30	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x198	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23919	0x23a00	False	0.538219572368	zlib compressed data	6.69192486686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x8cc0	0x8e00	False	0.381519586268	data	4.6980794791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0x6b40	0x3a00	False	0.672885237069	DOS executable (block device driver ght (c)	6.49030074311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x1e0	0x200	False	0.52734375	data	4.71229819329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0x1db4	0x1e00	False	0.773697916667	data	6.56994986298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x35060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	OutputDebugStringW, GetFileAttributesExW, SetStdHandle, GetExitCodeProcess, WaitForSingleObject, WriteConsoleW, ReadConsoleW, SetEnvironmentVariableA, CreateProcessA, VirtualProtect, HeapReAlloc, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, CloseHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, GetCurrentProcessId, WideCharToMultiByte, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, MultiByteToWideChar, GetStringTypeW, GetLastError, HeapFree, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, GetCommandLineW, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsDebuggerPresent, GetProcessHeap, GetCurrentThreadId, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetFileType, QueryPerformanceCounter, CreateFileW
mscms.dll	RegisterCMMW, AssociateColorProfileWithDeviceW, SelectCMM, CreateColorTransformA, IsColorProfileValid, OpenColorProfileW
MPR.dll	WNetGetLastErrorW, WNetAddConnection3A
GDI32.dll	PlayMetaFile, SetBitmapBits, AddFontResourceW, CreateSolidBrush, SelectObject
WS2_32.dll	WSACleanup, getservbyport, WSAAsyncGetProtoByName, WSASetServiceW, WSARemoveServiceClass
MSACM32.dll	acmFilterChooseA, acmStreamPrepareHeader, acmDriverID, acmDriverDetailsA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/20/20-09:15:52.713008	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49764	34.102.136.180	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 09:15:52.579793930 CET	49764	80	192.168.2.4	34.102.136.180
Nov 20, 2020 09:15:52.596340895 CET	80	49764	34.102.136.180	192.168.2.4
Nov 20, 2020 09:15:52.596441031 CET	49764	80	192.168.2.4	34.102.136.180
Nov 20, 2020 09:15:52.596668005 CET	49764	80	192.168.2.4	34.102.136.180
Nov 20, 2020 09:15:52.613137960 CET	80	49764	34.102.136.180	192.168.2.4
Nov 20, 2020 09:15:52.713007927 CET	80	49764	34.102.136.180	192.168.2.4
Nov 20, 2020 09:15:52.713032007 CET	80	49764	34.102.136.180	192.168.2.4
Nov 20, 2020 09:15:52.713203907 CET	49764	80	192.168.2.4	34.102.136.180
Nov 20, 2020 09:15:52.713267088 CET	49764	80	192.168.2.4	34.102.136.180
Nov 20, 2020 09:15:52.729657888 CET	80	49764	34.102.136.180	192.168.2.4
Nov 20, 2020 09:16:14.201641083 CET	49767	80	192.168.2.4	109.73.164.114
Nov 20, 2020 09:16:14.388181925 CET	80	49767	109.73.164.114	192.168.2.4
Nov 20, 2020 09:16:14.388372898 CET	49767	80	192.168.2.4	109.73.164.114
Nov 20, 2020 09:16:14.388565063 CET	49767	80	192.168.2.4	109.73.164.114
Nov 20, 2020 09:16:14.574364901 CET	80	49767	109.73.164.114	192.168.2.4
Nov 20, 2020 09:16:14.574588060 CET	80	49767	109.73.164.114	192.168.2.4
Nov 20, 2020 09:16:14.574606895 CET	80	49767	109.73.164.114	192.168.2.4
Nov 20, 2020 09:16:14.574795008 CET	49767	80	192.168.2.4	109.73.164.114
Nov 20, 2020 09:16:14.574888945 CET	49767	80	192.168.2.4	109.73.164.114
Nov 20, 2020 09:16:14.761779070 CET	80	49767	109.73.164.114	192.168.2.4
Nov 20, 2020 09:16:36.918991089 CET	49768	80	192.168.2.4	68.66.248.44
Nov 20, 2020 09:16:36.955167055 CET	80	49768	68.66.248.44	192.168.2.4
Nov 20, 2020 09:16:36.955245018 CET	49768	80	192.168.2.4	68.66.248.44
Nov 20, 2020 09:16:36.955394983 CET	49768	80	192.168.2.4	68.66.248.44
Nov 20, 2020 09:16:36.991422892 CET	80	49768	68.66.248.44	192.168.2.4
Nov 20, 2020 09:16:37.447376013 CET	49768	80	192.168.2.4	68.66.248.44
Nov 20, 2020 09:16:37.523334980 CET	80	49768	68.66.248.44	192.168.2.4
Nov 20, 2020 09:16:37.932816029 CET	80	49768	68.66.248.44	192.168.2.4
Nov 20, 2020 09:16:37.932846069 CET	80	49768	68.66.248.44	192.168.2.4
Nov 20, 2020 09:16:37.932948112 CET	49768	80	192.168.2.4	68.66.248.44
Nov 20, 2020 09:16:37.933221102 CET	49768	80	192.168.2.4	68.66.248.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 09:14:26.356555939 CET	52991	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:26.383533001 CET	53	52991	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:27.016799927 CET	53700	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:28.030734062 CET	53700	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:28.066214085 CET	53	53700	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:29.063208103 CET	51726	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:29.100934982 CET	53	51726	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:30.234272003 CET	56794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:30.269426107 CET	53	56794	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:31.725121021 CET	56534	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:31.752351046 CET	53	56534	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:32.659058094 CET	56627	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:32.687076092 CET	53	56627	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:33.583071947 CET	56621	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:33.610994101 CET	53	56621	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:34.555955887 CET	63116	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:34.586946011 CET	53	63116	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:35.243594885 CET	64078	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:35.272847891 CET	53	64078	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:38.044200897 CET	64801	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:38.079848051 CET	53	64801	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:38.944530964 CET	61721	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:38.971508980 CET	53	61721	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:39.650949955 CET	51255	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:39.680785894 CET	53	51255	8.8.8.8	192.168.2.4
Nov 20, 2020 09:14:54.653549910 CET	61522	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:14:54.680717945 CET	53	61522	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:19.360845089 CET	52337	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:19.396440029 CET	53	52337	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:19.949199915 CET	55046	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:19.976347923 CET	53	55046	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:20.399415016 CET	49612	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:20.437258005 CET	53	49612	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:20.743822098 CET	49285	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:20.770981073 CET	53	49285	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:21.156563044 CET	50601	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:21.192065954 CET	53	50601	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:21.249798059 CET	60875	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:21.276889086 CET	53	60875	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:21.845570087 CET	56448	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:21.872766018 CET	53	56448	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:22.512516022 CET	59172	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:22.548278093 CET	53	59172	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:23.596307039 CET	62420	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:23.625067949 CET	53	62420	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:24.750927925 CET	60579	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:24.786436081 CET	53	60579	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:25.191574097 CET	50183	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:25.227329016 CET	53	50183	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:31.827086926 CET	61531	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:32.081990004 CET	53	61531	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:34.083076000 CET	49228	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:34.120954990 CET	53	49228	8.8.8.8	192.168.2.4
Nov 20, 2020 09:15:52.536029100 CET	59794	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:15:52.575443983 CET	53	59794	8.8.8.8	192.168.2.4
Nov 20, 2020 09:16:08.662126064 CET	55916	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:16:08.689110041 CET	53	55916	8.8.8.8	192.168.2.4
Nov 20, 2020 09:16:12.190711021 CET	52752	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:16:12.234077930 CET	53	52752	8.8.8.8	192.168.2.4
Nov 20, 2020 09:16:13.795341015 CET	60542	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:16:14.199707031 CET	53	60542	8.8.8.8	192.168.2.4
Nov 20, 2020 09:16:36.775078058 CET	60689	53	192.168.2.4	8.8.8.8
Nov 20, 2020 09:16:36.917795897 CET	53	60689	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 09:15:31.827086926 CET	192.168.2.4	8.8.8.8	0x4b4e	Standard query (0)	www.montesida.com	A (IP address)	IN (0x0001)
Nov 20, 2020 09:15:52.536029100 CET	192.168.2.4	8.8.8.8	0x4a5c	Standard query (0)	www.laborexchanges.com	A (IP address)	IN (0x0001)
Nov 20, 2020 09:16:13.795341015 CET	192.168.2.4	8.8.8.8	0x2d7	Standard query (0)	www.rmcfoods.com	A (IP address)	IN (0x0001)
Nov 20, 2020 09:16:36.775078058 CET	192.168.2.4	8.8.8.8	0xef80	Standard query (0)	www.nigeriamoney.life	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 09:15:32.081990004 CET	8.8.8.8	192.168.2.4	0x4b4e	Server failure (2)	www.montesida.com	none	none	A (IP address)	IN (0x0001)
Nov 20, 2020 09:15:52.575443983 CET	8.8.8.8	192.168.2.4	0x4a5c	No error (0)	www.laborexchanges.com	laborexchanges.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 09:15:52.575443983 CET	8.8.8.8	192.168.2.4	0x4a5c	No error (0)	laborexchanges.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 20, 2020 09:16:14.199707031 CET	8.8.8.8	192.168.2.4	0x2d7	No error (0)	www.rmcfoods.com	rmcfoods.com		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 09:16:14.199707031 CET	8.8.8.8	192.168.2.4	0x2d7	No error (0)	rmcfoods.com		109.73.164.114	A (IP address)	IN (0x0001)
Nov 20, 2020 09:16:36.917795897 CET	8.8.8.8	192.168.2.4	0xef80	No error (0)	www.nigeriamoney.life	nigeriamoney.life		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 09:16:36.917795897 CET	8.8.8.8	192.168.2.4	0xef80	No error (0)	nigeriamoney.life		68.66.248.44	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.laborexchanges.com

www.rmcfoods.com

www.nigeriamoney.life

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49764	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 09:15:52.596668005 CET	5208	OUT	GET /saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1 Host: www.laborexchanges.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 09:15:52.713007927 CET	5208	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 20 Nov 2020 08:15:52 GMT Content-Type: text/html Content-Length: 275 ETag: "5fb6e153-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49767	109.73.164.114	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 09:16:14.388565063 CET	5228	OUT	GET /saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx HTTP/1.1 Host: www.rmcfoods.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 09:16:14.574588060 CET	5230	IN	HTTP/1.1 302 Found Connection: close Content-Type: text/html Content-Length: 682 Date: Fri, 20 Nov 2020 08:16:14 GMT Server: LiteSpeed Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Location: https://www.rmcfoods.com/saf0/?nHux40=pRmTZBcPIFQHkvP0&UnSpxn_=l0vU6hoQQSceldQJGhZQQ6qERl0xu4TDj5AxNJURkYQ12iJDSWINmeiyVLwn1GCX+dbx Vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 32 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49768	68.66.248.44	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 20, 2020 09:16:36.955394983 CET	5232	OUT	GET /saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0 HTTP/1.1 Host: www.nigeriamoney.life Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 20, 2020 09:16:37.932816029 CET	5233	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 20 Nov 2020 08:16:36 GMT Server: Apache X-Powered-By: PHP/7.2.34 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Strict-Transport-Security: max-age=63072000; includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Location: http://nigeriamoney.life/saf0/?UnSpxn_=KK0m7Tuk2BKDUiTVJC/eZPZggliL1QGXIKfUCxB6Gg0A7hnmP0tvgutH2fljjdRiWXxo&nHux40=pRmTZBcPIFQHkvP0 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE9
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE9
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE9
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE9

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: invoice.exe PID: 5872 Parent PID: 6100

General

Start time:	09:14:33
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\invoice.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\invoice.exe'
Imagebase:	0x300000
File size:	392704 bytes
MD5 hash:	C11B21F5C4ADCAB958C7706CD38F5697
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.662094900.00000000029D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: invoice.exe PID: 4284 Parent PID: 5872

General

Start time:	09:14:33
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice.exe
Imagebase:	0x300000
File size:	392704 bytes
MD5 hash:	C11B21F5C4ADCAB958C7706CD38F5697
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.694812494.0000000000B70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.694586179.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.694843913.0000000000BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 4284

General

Start time:	09:14:37
Start date:	20/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: control.exe PID: 6784 Parent PID: 3424

General

Start time:	09:14:48
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xb0000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.923792314.0000000002380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.923314997.0000000000150000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6880 Parent PID: 6784

General

Start time:	09:14:52
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\invoice.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6756 Parent PID: 6880

General

Start time:	09:14:53
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report invoice.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets