Analysis Report Invoiceo.exe

Overview

General Information

Sample Name: Invoiceo.exe
Analysis ID: 402845
MD5: 8f2489d7ce50e99109af9925818daf2b
SHA1: 5481d53e59fda1e0d849b677e15b410ba6f64fbc
SHA256: 0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.swim-maki.com/csi/"], "decoy": ["crazyonlineboutique.com", "nelivo.com", "chibimama-blog.com", "teachersofnyc.com", "rare-snare.com", "sunriseatlennox.com", "innovate-nation.com", "mahowebcam.com", "foodbyroyalbites.com", "nkm580.com", "premiumplanterboxes.com", "uspaypausa.com", "wto2b.com", "evoocb.com", "missilenttech.com", "adtlive.com", "guapeco.com", "keepfaithful.com", "djayhoward.com", "cora-designstj.com", "furrybasics.com", "tabuk24.com", "bioshope.online", "naturaldesiproducts.com", "ardreykellbaseball.com", "irisettlement.com", "bahama-id.com", "lastweektonight.watch", "professor-ux.com", "lifecompetitions.net", "axislnsmail.com", "dohannor.com", "powertuningfiles.com", "analistaweb.net", "baascompanies.com", "gengkakmona.com", "salonandspaexperts.com", "mynet.ltd", "lionandivy.com", "shopalam.com", "ana9aty.net", "sandostore.com", "theasigosysteminfo.com", "academiadoaprender.com", "akvirtualtours.com", "hecoldwithit.com", "stopsiba.com", "credit780.com", "ss01center.com", "wristaidmd.com", "s2nps.co.uk", "kontrey.com", "cheesecakedactory.com", "bnytechnologies.com", "enhancinggrowth.com", "gorgeus-girl-full-service.today", "bermudesfcrasettlement.com", "beste-gruppe.com", "lfntv.com", "coronarestschuldbefreiung.info", "positivechampions.com", "roadsigntoday.club", "oxytocin.online", "bupamwhub.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\yYxmxiApi.exe ReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted file
Source: Invoiceo.exe ReversingLabs: Detection: 21%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.Invoiceo.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Invoiceo.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Invoiceo.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmd.pdbUGP source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe, 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe
Source: Binary string: cmd.pdb source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0034245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 26_2_0034245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003468BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 26_2_003468BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 26_2_0033B89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003385EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 26_2_003385EA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003531DC FindFirstFileW,FindNextFileW,FindClose, 26_2_003531DC

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 4x nop then pop ebx 11_2_00407AFA
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 4x nop then pop edi 11_2_00417D66

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.swim-maki.com/csi/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh HTTP/1.1Host: www.tabuk24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: global traffic HTTP traffic detected: GET /csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh HTTP/1.1Host: www.tabuk24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.tabuk24.com
Source: explorer.exe, 0000000D.00000000.295505046.000000000F640000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.405129582.0000000004931000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.adtlive.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.adtlive.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.adtlive.com/csi/www.rare-snare.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.adtlive.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.analistaweb.net
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.analistaweb.net/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.analistaweb.net/csi/www.kontrey.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.analistaweb.netReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bahama-id.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bahama-id.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bahama-id.com/csi/www.uspaypausa.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bahama-id.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bermudesfcrasettlement.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bermudesfcrasettlement.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bermudesfcrasettlement.com/csi/www.salonandspaexperts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bermudesfcrasettlement.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bioshope.online
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bioshope.online/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bioshope.online/csi/www.wristaidmd.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.bioshope.onlineReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.foodbyroyalbites.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.foodbyroyalbites.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.foodbyroyalbites.com/csi/www.bioshope.online
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.foodbyroyalbites.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.kontrey.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.kontrey.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.kontrey.com/csi/www.bahama-id.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.kontrey.comReferer:
Source: powershell.exe, 00000004.00000003.348127191.00000000090A2000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoft.co
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.naturaldesiproducts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.naturaldesiproducts.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.naturaldesiproducts.com/csi/M
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.naturaldesiproducts.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.nelivo.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.nelivo.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.nelivo.com/csi/www.adtlive.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.nelivo.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.rare-snare.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.rare-snare.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.rare-snare.com/csi/www.analistaweb.net
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.rare-snare.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.salonandspaexperts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.salonandspaexperts.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.salonandspaexperts.com/csi/www.foodbyroyalbites.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.salonandspaexperts.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.ss01center.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.ss01center.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.ss01center.com/csi/www.naturaldesiproducts.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.ss01center.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.swim-maki.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.swim-maki.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.swim-maki.com/csi/www.bermudesfcrasettlement.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.swim-maki.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.tabuk24.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.tabuk24.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.tabuk24.com/csi/www.swim-maki.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.tabuk24.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.uspaypausa.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.uspaypausa.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.uspaypausa.com/csi/www.ss01center.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.uspaypausa.comReferer:
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.wristaidmd.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.wristaidmd.com/csi/
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.wristaidmd.com/csi/www.nelivo.com
Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmp String found in binary or memory: http://www.wristaidmd.comReferer:
Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Invoiceo.exe String found in binary or memory: https://github.com/unguest
Source: Invoiceo.exe String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: powershell.exe, 00000004.00000003.320382870.0000000004F91000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.325533885.0000000005112000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.333217488.00000000052FC000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Invoiceo.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419D50 NtCreateFile, 11_2_00419D50
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419E00 NtReadFile, 11_2_00419E00
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419E80 NtClose, 11_2_00419E80
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419F30 NtAllocateVirtualMemory, 11_2_00419F30
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419D4C NtCreateFile, 11_2_00419D4C
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419DFA NtReadFile, 11_2_00419DFA
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419E7A NtClose, 11_2_00419E7A
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00419F2A NtAllocateVirtualMemory, 11_2_00419F2A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033B42E NtOpenThreadToken,NtOpenProcessToken,NtClose, 26_2_0033B42E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003384BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 26_2_003384BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003358A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 26_2_003358A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033B4F8 NtQueryInformationToken,NtQueryInformationToken, 26_2_0033B4F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033B4C0 NtQueryInformationToken, 26_2_0033B4C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00356D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 26_2_00356D90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0035B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 26_2_0035B5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00359AB4 NtSetInformationFile, 26_2_00359AB4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003383F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 26_2_003383F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9710 NtQueryInformationToken,LdrInitializeThunk, 26_2_033D9710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9780 NtMapViewOfSection,LdrInitializeThunk, 26_2_033D9780
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9FE0 NtCreateMutant,LdrInitializeThunk, 26_2_033D9FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9A50 NtCreateFile,LdrInitializeThunk, 26_2_033D9A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 26_2_033D96E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D96D0 NtCreateKey,LdrInitializeThunk, 26_2_033D96D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 26_2_033D9910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9540 NtReadFile,LdrInitializeThunk, 26_2_033D9540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D99A0 NtCreateSection,LdrInitializeThunk, 26_2_033D99A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D95D0 NtClose,LdrInitializeThunk, 26_2_033D95D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9860 NtQuerySystemInformation,LdrInitializeThunk, 26_2_033D9860
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9840 NtDelayExecution,LdrInitializeThunk, 26_2_033D9840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CE730 NtQueryInformationProcess, 26_2_033CE730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399335 NtClose,NtClose, 26_2_03399335
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9730 NtQueryVirtualMemory, 26_2_033D9730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417365 NtQuerySystemInformation, 26_2_03417365
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345FF69 NtQueryVirtualMemory, 26_2_0345FF69
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033DA710 NtOpenProcessToken, 26_2_033DA710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342176C NtWaitForSingleObject,NtClose, 26_2_0342176C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9B00 NtSetValueKey, 26_2_033D9B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9770 NtSetInformationFile, 26_2_033D9770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033DA770 NtOpenThread, 26_2_033DA770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9760 NtOpenProcess, 26_2_033D9760
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D7742 NtAllocateVirtualMemory, 26_2_033D7742
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339A7B0 NtClose,NtClose, 26_2_0339A7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033DA3B0 NtGetContextThread, 26_2_033DA3B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345F7DD NtFreeVirtualMemory, 26_2_0345F7DD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345AFDE NtFreeVirtualMemory, 26_2_0345AFDE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D97A0 NtUnmapViewOfSection, 26_2_033D97A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03446BEA NtQueryVirtualMemory, 26_2_03446BEA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A8F87 NtProtectVirtualMemory,NtProtectVirtualMemory, 26_2_033A8F87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0341FB88 NtProtectVirtualMemory, 26_2_0341FB88
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03465BA5 NtQueryInformationToken, 26_2_03465BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339F7C0 NtClose, 26_2_0339F7C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421242 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose, 26_2_03421242
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339E620 NtClose, 26_2_0339E620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9A20 NtResumeThread, 26_2_033D9A20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D2E1C NtDelayExecution, 26_2_033D2E1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417E63 NtProtectVirtualMemory, 26_2_03417E63
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9610 NtEnumerateValueKey, 26_2_033D9610
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9A10 NtQuerySection, 26_2_033D9A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339C600 NtQueryValueKey,NtQueryValueKey, 26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9A00 NtProtectVirtualMemory, 26_2_033D9A00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345F209 NtFreeVirtualMemory,NtFreeVirtualMemory, 26_2_0345F209
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9670 NtQueryInformationProcess, 26_2_033D9670
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9660 NtAllocateVirtualMemory, 26_2_033D9660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CBE62 NtProtectVirtualMemory, 26_2_033CBE62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345EE22 NtFreeVirtualMemory, 26_2_0345EE22
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9650 NtQueryValueKey, 26_2_033D9650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399240 NtClose,NtClose, 26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421AD6 NtFreeVirtualMemory, 26_2_03421AD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033952A5 NtClose,NtClose,NtClose,NtClose, 26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392E9F NtClose, 26_2_03392E9F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CD294 NtClose, 26_2_033CD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9A80 NtOpenDirectoryObject, 26_2_033D9A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344BE9B NtAllocateVirtualMemory, 26_2_0344BE9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03460EA5 NtQueryVirtualMemory, 26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03413540 NtQueryValueKey,NtClose, 26_2_03413540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A9136 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory, 26_2_033A9136
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033DAD30 NtSetContextThread, 26_2_033DAD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CC532 NtProtectVirtualMemory, 26_2_033CC532
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03461D55 NtFreeVirtualMemory, 26_2_03461D55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 NtClose, 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9520 NtWaitForSingleObject, 26_2_033D9520
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421570 NtQuerySystemInformation,NtClose, 26_2_03421570
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9560 NtWriteFile, 26_2_033D9560
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344FD22 NtQueryInformationProcess, 26_2_0344FD22
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9950 NtQueueApcThread, 26_2_033D9950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C0548 NtQueryVirtualMemory, 26_2_033C0548
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_034219C8 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 26_2_034219C8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392D8A NtWaitForSingleObject, 26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033ADD80 NtQueryVirtualMemory, 26_2_033ADD80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344BDFA NtAllocateVirtualMemory, 26_2_0344BDFA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D95F0 NtQueryInformationFile, 26_2_033D95F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D99D0 NtCreateProcessEx, 26_2_033D99D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421C49 NtQueryInformationProcess, 26_2_03421C49
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342C450 NtAdjustPrivilegesToken,NtClose,NtClose, 26_2_0342C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D9820 NtEnumerateKey, 26_2_033D9820
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421C76 NtQueryInformationProcess, 26_2_03421C76
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421879 NtAllocateVirtualMemory, 26_2_03421879
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B746D NtClose, 26_2_033B746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033DB040 NtSuspendThread, 26_2_033DB040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345F8C5 NtFreeVirtualMemory, 26_2_0345F8C5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CF0BF NtClose,NtClose, 26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose, 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D98A0 NtWriteVirtualMemory, 26_2_033D98A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339DCA4 NtEnumerateKey,NtClose,NtClose, 26_2_0339DCA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03421CE4 NtQueryInformationProcess, 26_2_03421CE4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417CF9 NtQueryVirtualMemory, 26_2_03417CF9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03413884 NtQueryValueKey,NtQueryValueKey, 26_2_03413884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A80FC NtMapViewOfSection,NtUnmapViewOfSection, 26_2_033A80FC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D98F0 NtReadVirtualMemory, 26_2_033D98F0
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00346550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 26_2_00346550
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0034374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle, 26_2_0034374E
Detected potential crypto function
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 0_2_025F94A8 0_2_025F94A8
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 0_2_025FC148 0_2_025FC148
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 0_2_025FA758 0_2_025FA758
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 0_2_025FF838 0_2_025FF838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C481C8 10_2_00C481C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C43148 10_2_00C43148
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C4EDA0 10_2_00C4EDA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C41DA8 10_2_00C41DA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C489A0 10_2_00C489A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C481C8 10_2_00C481C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C49BA0 10_2_00C49BA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C4BD20 10_2_00C4BD20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C93840 10_2_00C93840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C9CA60 10_2_00C9CA60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C98DD8 10_2_00C98DD8
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00401030 11_2_00401030
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00401208 11_2_00401208
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041DAF0 11_2_0041DAF0
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041D3F7 11_2_0041D3F7
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041DCDE 11_2_0041DCDE
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00402D90 11_2_00402D90
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00409E30 11_2_00409E30
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041CF96 11_2_0041CF96
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00402FB0 11_2_00402FB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033D803 26_2_0033D803
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033E040 26_2_0033E040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00339CF0 26_2_00339CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003348E6 26_2_003348E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00355CEA 26_2_00355CEA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00353506 26_2_00353506
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00341969 26_2_00341969
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00346550 26_2_00346550
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00337190 26_2_00337190
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003531DC 26_2_003531DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033FA30 26_2_0033FA30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00335226 26_2_00335226
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00335E70 26_2_00335E70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00338AD7 26_2_00338AD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033CB48 26_2_0033CB48
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00356FF0 26_2_00356FF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00345FC8 26_2_00345FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CEBB0 26_2_033CEBB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B6E30 26_2_033B6E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03461D55 26_2_03461D55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03390D20 26_2_03390D20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339F900 26_2_0339F900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A841F 26_2_033A841F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451002 26_2_03451002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AB090 26_2_033AB090
Sample file is different than original file name gathered from version info
Source: Invoiceo.exe, 00000000.00000002.229009371.000000000B700000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000002.230389310.000000000B7F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000002.230389310.000000000B7F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000000.199355092.00000000003CE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
Source: Invoiceo.exe, 00000000.00000003.204309078.00000000038B3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Invoiceo.exe
Source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs Invoiceo.exe
Source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Invoiceo.exe
Source: Invoiceo.exe, 0000000B.00000000.214276014.000000000069E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
Source: Invoiceo.exe Binary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
Uses 32bit PE files
Source: Invoiceo.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Invoiceo.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yYxmxiApi.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/19@3/1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit, 26_2_0033C5CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0035A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z, 26_2_0035A0D2
Source: C:\Users\user\Desktop\Invoiceo.exe File created: C:\Users\user\AppData\Roaming\yYxmxiApi.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Users\user\Desktop\Invoiceo.exe Mutant created: \Sessions\1\BaseNamedObjects\HHooNBuZKemHGrt
Source: C:\Users\user\Desktop\Invoiceo.exe File created: C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp Jump to behavior
Source: Invoiceo.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Invoiceo.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Invoiceo.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Invoiceo.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\Invoiceo.exe File read: C:\Users\user\Desktop\Invoiceo.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Invoiceo.exe 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Users\user\Desktop\Invoiceo.exe C:\Users\user\Desktop\Invoiceo.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Users\user\Desktop\Invoiceo.exe C:\Users\user\Desktop\Invoiceo.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Invoiceo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Invoiceo.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmd.pdbUGP source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe, 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe
Source: Binary string: cmd.pdb source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 0_2_00319485 push cs; ret 0_2_00319492
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 0_2_003194E5 push cs; iretd 0_2_003194E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C4A9E7 pushad ; retn 0000h 10_2_00C4A9F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C45287 push esp; retn 0000h 10_2_00C45292
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C452A7 push esi; retn 0000h 10_2_00C452C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C4521F push ecx; retn 0000h 10_2_00C45232
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C45237 push ecx; retn 0000h 10_2_00C45242
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C43B90 push cs; ret 10_2_00C43C62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C43C65 push cs; ret 10_2_00C43C66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C93170 push esp; ret 10_2_00C93183
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C9A900 push eax; ret 10_2_00C9A913
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C90B0B push ebx; ret 10_2_00C90B1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C9D30A pushad ; ret 10_2_00C9D313
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00C90B2D push ebx; ret 10_2_00C90B4A
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00401174 push ebx; retf 11_2_0040117A
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041DAF0 push esi; ret 11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041DAF0 push dword ptr [0E4C8D76h]; ret 11_2_0041DCD6
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041D3F7 push esi; ret 11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00417BAC push ebx; retf 11_2_00417C45
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00417C25 push ebx; retf 11_2_00417C45
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041DCDE push esi; ret 11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041CEF2 push eax; ret 11_2_0041CEF8
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041CEFB push eax; ret 11_2_0041CF62
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041CEA5 push eax; ret 11_2_0041CEF8
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041CF5C push eax; ret 11_2_0041CF62
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041E77F push eax; ret 11_2_0041E8E3
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0041CF96 push esi; ret 11_2_0041D3F6
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_005E94E5 push cs; iretd 11_2_005E94E6
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_005E9485 push cs; ret 11_2_005E9492
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003476BD push ecx; ret 26_2_003476D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003476D1 push ecx; ret 26_2_003476E4
Source: initial sample Static PE information: section name: .text entropy: 7.93397311121
Source: initial sample Static PE information: section name: .text entropy: 7.93397311121

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Invoiceo.exe File created: C:\Users\user\AppData\Roaming\yYxmxiApi.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEF
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Invoiceo.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Invoiceo.exe PID: 6316, type: MEMORY
Source: Yara match File source: 0.2.Invoiceo.exe.276f578.1.raw.unpack, type: UNPACKEDPE
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Invoiceo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Invoiceo.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Invoiceo.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000003209B4E second address: 0000000003209B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Invoiceo.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00409A80 rdtsc 11_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Invoiceo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5553 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1674 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4919 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1675 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5079
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1619
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Invoiceo.exe TID: 6320 Thread sleep time: -103696s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe TID: 6392 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6360 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6832 Thread sleep count: 4919 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6848 Thread sleep count: 1675 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7024 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6984 Thread sleep count: 5079 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6988 Thread sleep count: 1619 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7076 Thread sleep count: 57 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\explorer.exe TID: 2996 Thread sleep time: -34000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1020 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0034245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 26_2_0034245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003468BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 26_2_003468BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 26_2_0033B89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003385EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 26_2_003385EA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_003531DC FindFirstFileW,FindNextFileW,FindClose, 26_2_003531DC
Source: C:\Users\user\Desktop\Invoiceo.exe Thread delayed: delay time: 103696 Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: Invoiceo.exe, 00000000.00000003.215268410.0000000000A11000.00000004.00000001.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000004.00000003.393456131.0000000004DC0000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.394881873.0000000004F3D000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000D.00000000.221314636.0000000001398000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Invoiceo.exe, 00000000.00000003.215268410.0000000000A11000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware8_O3CNNUWin32_VideoController1Z5FG1T2VideoController120060621000000.000000-0000.456736display.infMSBDAB587FGP2PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsG4NTR4RC
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.250372199.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000D.00000002.500423211.00000000056E5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWal<%SystemRoot%\system32\mswsock.dllkagesB
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 0000000D.00000000.271240625.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000D.00000000.250274438.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000000D.00000000.275968465.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: powershell.exe, 00000004.00000003.393456131.0000000004DC0000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.394881873.0000000004F3D000.00000004.00000001.sdmp Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 0000000D.00000000.268751603.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Invoiceo.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Invoiceo.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_00409A80 rdtsc 11_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Invoiceo.exe Code function: 11_2_0040ACC0 LdrLoadDll, 11_2_0040ACC0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00352258 IsDebuggerPresent, 26_2_00352258
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0035B5E0 mov eax, dword ptr fs:[00000030h] 26_2_0035B5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CE730 mov eax, dword ptr fs:[00000030h] 26_2_033CE730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03394F2E mov eax, dword ptr fs:[00000030h] 26_2_03394F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03394F2E mov eax, dword ptr fs:[00000030h] 26_2_03394F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03468B58 mov eax, dword ptr fs:[00000030h] 26_2_03468B58
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03468F6A mov eax, dword ptr fs:[00000030h] 26_2_03468F6A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C3B7A mov eax, dword ptr fs:[00000030h] 26_2_033C3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C3B7A mov eax, dword ptr fs:[00000030h] 26_2_033C3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0346070D mov eax, dword ptr fs:[00000030h] 26_2_0346070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0346070D mov eax, dword ptr fs:[00000030h] 26_2_0346070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342FF10 mov eax, dword ptr fs:[00000030h] 26_2_0342FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342FF10 mov eax, dword ptr fs:[00000030h] 26_2_0342FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339DB60 mov ecx, dword ptr fs:[00000030h] 26_2_0339DB60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AFF60 mov eax, dword ptr fs:[00000030h] 26_2_033AFF60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345131B mov eax, dword ptr fs:[00000030h] 26_2_0345131B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339F358 mov eax, dword ptr fs:[00000030h] 26_2_0339F358
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339DB40 mov eax, dword ptr fs:[00000030h] 26_2_0339DB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AEF40 mov eax, dword ptr fs:[00000030h] 26_2_033AEF40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CB390 mov eax, dword ptr fs:[00000030h] 26_2_033CB390
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A1B8F mov eax, dword ptr fs:[00000030h] 26_2_033A1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A1B8F mov eax, dword ptr fs:[00000030h] 26_2_033A1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344D380 mov ecx, dword ptr fs:[00000030h] 26_2_0344D380
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0345138A mov eax, dword ptr fs:[00000030h] 26_2_0345138A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417794 mov eax, dword ptr fs:[00000030h] 26_2_03417794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417794 mov eax, dword ptr fs:[00000030h] 26_2_03417794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417794 mov eax, dword ptr fs:[00000030h] 26_2_03417794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03465BA5 mov eax, dword ptr fs:[00000030h] 26_2_03465BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339E620 mov eax, dword ptr fs:[00000030h] 26_2_0339E620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344B260 mov eax, dword ptr fs:[00000030h] 26_2_0344B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344B260 mov eax, dword ptr fs:[00000030h] 26_2_0344B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03468A62 mov eax, dword ptr fs:[00000030h] 26_2_03468A62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B3A1C mov eax, dword ptr fs:[00000030h] 26_2_033B3A1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339C600 mov eax, dword ptr fs:[00000030h] 26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339C600 mov eax, dword ptr fs:[00000030h] 26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339C600 mov eax, dword ptr fs:[00000030h] 26_2_0339C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D927A mov eax, dword ptr fs:[00000030h] 26_2_033D927A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h] 26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h] 26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h] 26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h] 26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BAE73 mov eax, dword ptr fs:[00000030h] 26_2_033BAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A766D mov eax, dword ptr fs:[00000030h] 26_2_033A766D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h] 26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h] 26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h] 26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399240 mov eax, dword ptr fs:[00000030h] 26_2_03399240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344FE3F mov eax, dword ptr fs:[00000030h] 26_2_0344FE3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h] 26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h] 26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h] 26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h] 26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h] 26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A7E41 mov eax, dword ptr fs:[00000030h] 26_2_033A7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0344FEC0 mov eax, dword ptr fs:[00000030h] 26_2_0344FEC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AAAB0 mov eax, dword ptr fs:[00000030h] 26_2_033AAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AAAB0 mov eax, dword ptr fs:[00000030h] 26_2_033AAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CFAB0 mov eax, dword ptr fs:[00000030h] 26_2_033CFAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03468ED6 mov eax, dword ptr fs:[00000030h] 26_2_03468ED6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h] 26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h] 26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h] 26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h] 26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033952A5 mov eax, dword ptr fs:[00000030h] 26_2_033952A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CD294 mov eax, dword ptr fs:[00000030h] 26_2_033CD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CD294 mov eax, dword ptr fs:[00000030h] 26_2_033CD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342FE87 mov eax, dword ptr fs:[00000030h] 26_2_0342FE87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A76E2 mov eax, dword ptr fs:[00000030h] 26_2_033A76E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C16E0 mov ecx, dword ptr fs:[00000030h] 26_2_033C16E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03460EA5 mov eax, dword ptr fs:[00000030h] 26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03460EA5 mov eax, dword ptr fs:[00000030h] 26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03460EA5 mov eax, dword ptr fs:[00000030h] 26_2_03460EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_034146A7 mov eax, dword ptr fs:[00000030h] 26_2_034146A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C36CC mov eax, dword ptr fs:[00000030h] 26_2_033C36CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D8EC7 mov eax, dword ptr fs:[00000030h] 26_2_033D8EC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03413540 mov eax, dword ptr fs:[00000030h] 26_2_03413540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C513A mov eax, dword ptr fs:[00000030h] 26_2_033C513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C513A mov eax, dword ptr fs:[00000030h] 26_2_033C513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C4D3B mov eax, dword ptr fs:[00000030h] 26_2_033C4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C4D3B mov eax, dword ptr fs:[00000030h] 26_2_033C4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C4D3B mov eax, dword ptr fs:[00000030h] 26_2_033C4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339AD30 mov eax, dword ptr fs:[00000030h] 26_2_0339AD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033A3D34 mov eax, dword ptr fs:[00000030h] 26_2_033A3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h] 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h] 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h] 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 mov eax, dword ptr fs:[00000030h] 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B4120 mov ecx, dword ptr fs:[00000030h] 26_2_033B4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399100 mov eax, dword ptr fs:[00000030h] 26_2_03399100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399100 mov eax, dword ptr fs:[00000030h] 26_2_03399100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399100 mov eax, dword ptr fs:[00000030h] 26_2_03399100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339B171 mov eax, dword ptr fs:[00000030h] 26_2_0339B171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339B171 mov eax, dword ptr fs:[00000030h] 26_2_0339B171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BC577 mov eax, dword ptr fs:[00000030h] 26_2_033BC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BC577 mov eax, dword ptr fs:[00000030h] 26_2_033BC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B7D50 mov eax, dword ptr fs:[00000030h] 26_2_033B7D50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03468D34 mov eax, dword ptr fs:[00000030h] 26_2_03468D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0341A537 mov eax, dword ptr fs:[00000030h] 26_2_0341A537
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D3D43 mov eax, dword ptr fs:[00000030h] 26_2_033D3D43
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BB944 mov eax, dword ptr fs:[00000030h] 26_2_033BB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BB944 mov eax, dword ptr fs:[00000030h] 26_2_033BB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033C35A1 mov eax, dword ptr fs:[00000030h] 26_2_033C35A1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CFD9B mov eax, dword ptr fs:[00000030h] 26_2_033CFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CFD9B mov eax, dword ptr fs:[00000030h] 26_2_033CFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h] 26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h] 26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h] 26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h] 26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03392D8A mov eax, dword ptr fs:[00000030h] 26_2_03392D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03448DF1 mov eax, dword ptr fs:[00000030h] 26_2_03448DF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CA185 mov eax, dword ptr fs:[00000030h] 26_2_033CA185
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033BC182 mov eax, dword ptr fs:[00000030h] 26_2_033BC182
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339B1E1 mov eax, dword ptr fs:[00000030h] 26_2_0339B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339B1E1 mov eax, dword ptr fs:[00000030h] 26_2_0339B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0339B1E1 mov eax, dword ptr fs:[00000030h] 26_2_0339B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h] 26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h] 26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h] 26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033AB02A mov eax, dword ptr fs:[00000030h] 26_2_033AB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CBC2C mov eax, dword ptr fs:[00000030h] 26_2_033CBC2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342C450 mov eax, dword ptr fs:[00000030h] 26_2_0342C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342C450 mov eax, dword ptr fs:[00000030h] 26_2_0342C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03461074 mov eax, dword ptr fs:[00000030h] 26_2_03461074
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03452073 mov eax, dword ptr fs:[00000030h] 26_2_03452073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03451C06 mov eax, dword ptr fs:[00000030h] 26_2_03451C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0346740D mov eax, dword ptr fs:[00000030h] 26_2_0346740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0346740D mov eax, dword ptr fs:[00000030h] 26_2_0346740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0346740D mov eax, dword ptr fs:[00000030h] 26_2_0346740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h] 26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h] 26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h] 26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416C0A mov eax, dword ptr fs:[00000030h] 26_2_03416C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03464015 mov eax, dword ptr fs:[00000030h] 26_2_03464015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03464015 mov eax, dword ptr fs:[00000030h] 26_2_03464015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B746D mov eax, dword ptr fs:[00000030h] 26_2_033B746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417016 mov eax, dword ptr fs:[00000030h] 26_2_03417016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417016 mov eax, dword ptr fs:[00000030h] 26_2_03417016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03417016 mov eax, dword ptr fs:[00000030h] 26_2_03417016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B0050 mov eax, dword ptr fs:[00000030h] 26_2_033B0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033B0050 mov eax, dword ptr fs:[00000030h] 26_2_033B0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CF0BF mov ecx, dword ptr fs:[00000030h] 26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CF0BF mov eax, dword ptr fs:[00000030h] 26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033CF0BF mov eax, dword ptr fs:[00000030h] 26_2_033CF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03468CD6 mov eax, dword ptr fs:[00000030h] 26_2_03468CD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_033D90AF mov eax, dword ptr fs:[00000030h] 26_2_033D90AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h] 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 mov ecx, dword ptr fs:[00000030h] 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h] 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h] 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h] 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0342B8D0 mov eax, dword ptr fs:[00000030h] 26_2_0342B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416CF0 mov eax, dword ptr fs:[00000030h] 26_2_03416CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416CF0 mov eax, dword ptr fs:[00000030h] 26_2_03416CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03416CF0 mov eax, dword ptr fs:[00000030h] 26_2_03416CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03399080 mov eax, dword ptr fs:[00000030h] 26_2_03399080
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_034514FB mov eax, dword ptr fs:[00000030h] 26_2_034514FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03413884 mov eax, dword ptr fs:[00000030h] 26_2_03413884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_03413884 mov eax, dword ptr fs:[00000030h] 26_2_03413884
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033AC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap, 26_2_0033AC30
Enables debug privileges
Source: C:\Users\user\Desktop\Invoiceo.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Invoiceo.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00347310 SetUnhandledExceptionFilter, 26_2_00347310
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00346FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00346FE3
Source: C:\Users\user\Desktop\Invoiceo.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.swim-maki.com
Source: C:\Windows\explorer.exe Network Connect: 154.207.58.218 80
Source: C:\Windows\explorer.exe Domain query: www.tabuk24.com
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe'
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Invoiceo.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Invoiceo.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Invoiceo.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Invoiceo.exe Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3388
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Invoiceo.exe Thread APC queued: target process: C:\Windows\explorer.exe
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Invoiceo.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 330000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Process created: C:\Users\user\Desktop\Invoiceo.exe C:\Users\user\Desktop\Invoiceo.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Invoiceo.exe'
Source: explorer.exe, 0000000D.00000000.221314636.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 0000000D.00000000.222460310.0000000001980000.00000002.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.275306032.000000000871F000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.222460310.0000000001980000.00000002.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.222460310.0000000001980000.00000002.00000001.sdmp, cmd.exe, 0000001A.00000002.484986181.0000000004680000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 26_2_003396A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 26_2_00335AEF
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 26_2_00343F80
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Users\user\Desktop\Invoiceo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoiceo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_00353C49 GetSystemTime,SystemTimeToFileTime, 26_2_00353C49
Source: C:\Windows\SysWOW64\cmd.exe Code function: 26_2_0033443C GetVersion, 26_2_0033443C
Source: C:\Users\user\Desktop\Invoiceo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402845 Sample: Invoiceo.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 9 other signatures 2->58 10 Invoiceo.exe 7 2->10         started        process3 file4 42 C:\Users\user\AppData\Roaming\yYxmxiApi.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmpEE1D.tmp, XML 10->44 dropped 46 C:\Users\user\AppData\...\Invoiceo.exe.log, ASCII 10->46 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 10->70 72 Adds a directory exclusion to Windows Defender 10->72 74 Tries to detect virtualization through RDTSC time measurements 10->74 14 Invoiceo.exe 10->14         started        17 powershell.exe 24 10->17         started        19 powershell.exe 26 10->19         started        21 2 other processes 10->21 signatures5 process6 signatures7 76 Modifies the context of a thread in another process (thread injection) 14->76 78 Maps a DLL or memory area into another process 14->78 80 Sample uses process hollowing technique 14->80 82 Queues an APC in another process (thread injection) 14->82 23 explorer.exe 14->23 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        process8 dnsIp9 48 www.tabuk24.com 154.207.58.218, 49749, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 23->48 50 www.swim-maki.com 23->50 66 System process connects to network (likely due to code injection or exploit) 23->66 35 cmd.exe 23->35         started        signatures10 process11 signatures12 60 Modifies the context of a thread in another process (thread injection) 35->60 62 Maps a DLL or memory area into another process 35->62 64 Tries to detect virtualization through RDTSC time measurements 35->64 38 cmd.exe 35->38         started        process13 process14 40 conhost.exe 38->40         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.207.58.218
www.tabuk24.com Seychelles
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true

Contacted Domains

Name IP Active
www.tabuk24.com 154.207.58.218 true
www.swim-maki.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.tabuk24.com/csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh true
  • Avira URL Cloud: safe
unknown
www.swim-maki.com/csi/ true
  • Avira URL Cloud: safe
low