Windows Analysis Report
overdue invoices.exe

Overview

General Information

Sample Name: overdue invoices.exe
Analysis ID: 562159
MD5: e53e6bdf25f7c3bca385a3021e373061
SHA1: 3c91623488f8e645d8f55b802c78c46a86e968da
SHA256: a2e21d596824ac07de0a0835065fdf00bce5b233c537355edc49e7c10f7b8667
Tags: exeFormbookxloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.storenight.store/rh64/"], "decoy": ["apx-consultoria.com", "naweekjanel.quest", "redcrossedgames.com", "braswellrestaurantgroup.com", "kakazaixian.com", "northernnightsky.com", "pauschalreisen.xyz", "getloyalclients.com", "fuckinggril.xyz", "kovtor.com", "harshalkadam.com", "lihsin.com", "blablacar-official.online", "zaratepsicologia.online", "taijaswanston.com", "babytono.com", "sunnycraftsman.com", "shicharroz.com", "dollytrailer.com", "vende-digital.com", "isaacsrealestate.net", "crecerspa.com", "themeraptor.com", "ptjl888.com", "iwanster.com", "shallmavis.com", "myowncorks.com", "centscert.com", "mysalonphotography.com", "goetzerehnstiftung.net", "hsee-sl.com", "bestuk-fixedrates.com", "atspom.com", "clashofclansapk.net", "pipszone.com", "graburballz.com", "petektemizlemehizmeti.com", "balancebybita.com", "cfdphind.com", "fsg-trading.com", "christinascleaningsvcsfl.com", "textile.wiki", "446321.com", "radiomuskan.com", "crystaltopagent.net", "andrewspellman.xyz", "afroonline.net", "shurommo.com", "obesite-morlaix.com", "encodexbd.com", "novemed.com", "perfumeghor.com", "dharma33.com", "potoobrant.com", "pravozachitapotreb.store", "enrevologix.net", "animositiesscale.info", "webgem-strategies.com", "ruralspices.com", "bibipopiah.com", "livebtctrades.com", "cannabisconnectionmt.com", "ammarus.com", "buildandrise.com"]}
Multi AV Scanner detection for submitted file
Source: overdue invoices.exe Virustotal: Detection: 35% Perma Link
Source: overdue invoices.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.storenight.store/rh64/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dll Virustotal: Detection: 19% Perma Link
Source: C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dll ReversingLabs: Detection: 16%
Machine Learning detection for sample
Source: overdue invoices.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 20.0.explorer.exe.88e796c.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.overdue invoices.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 20.0.explorer.exe.88e796c.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 20.0.explorer.exe.88e796c.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.overdue invoices.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.overdue invoices.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.overdue invoices.exe.400000.1.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.overdue invoices.exe.400000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.overdue invoices.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 20.0.explorer.exe.88e796c.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.svchost.exe.2c16000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.overdue invoices.exe.400000.3.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 11.2.svchost.exe.383796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.overdue invoices.exe.21a0000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.overdue invoices.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: overdue invoices.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: overdue invoices.exe, 00000000.00000003.349969071.000000001AE60000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000000.00000003.347174579.000000001ACD0000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: overdue invoices.exe, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 4x nop then pop edi 1_2_004162D8
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 4x nop then pop ebx 1_2_00406AB6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 11_2_02996AB6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 11_2_029A62D8

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.storenight.store/rh64/
Source: explorer.exe, 00000014.00000000.613469189.0000000007905000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.589957774.0000000007905000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.591242459.0000000007A93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.576966746.0000000007AA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.580691448.0000000007AA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.586467444.0000000007AA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.612578291.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.594365819.0000000007A93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.589641281.0000000007A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: overdue invoices.exe, overdue invoices.exe, 00000000.00000000.342336809.0000000000409000.00000008.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000000.00000002.353122481.0000000000409000.00000004.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000001.00000000.346609456.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: overdue invoices.exe, 00000000.00000000.342336809.0000000000409000.00000008.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000000.00000002.353122481.0000000000409000.00000004.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000001.00000000.346609456.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.389880290.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357320779.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.420908981.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.371882109.000000000095C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F61

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: overdue invoices.exe
Executable has a suspicious name (potential lure to open the executable)
Source: overdue invoices.exe Static file information: Suspicious name
Uses 32bit PE files
Source: overdue invoices.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00404772 0_2_00404772
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041D26A 1_2_0041D26A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00408C7B 1_2_00408C7B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00408C80 1_2_00408C80
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041A6C6 1_2_0041A6C6
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AB090 1_2_009AB090
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A620A8 1_2_00A620A8
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51002 1_2_00A51002
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099F900 1_2_0099F900
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B4120 1_2_009B4120
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CEBB0 1_2_009CEBB0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A841F 1_2_009A841F
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2581 1_2_009C2581
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AD5E0 1_2_009AD5E0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00990D20 1_2_00990D20
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A61D55 1_2_00A61D55
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A62EF7 1_2_00A62EF7
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B6E30 1_2_009B6E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335EBB0 11_2_0335EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03346E30 11_2_03346E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03320D20 11_2_03320D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03344120 11_2_03344120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332F900 11_2_0332F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F1D55 11_2_033F1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1002 11_2_033E1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333B090 11_2_0333B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AD26A 11_2_029AD26A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AA6C6 11_2_029AA6C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02992FB0 11_2_02992FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02998C80 11_2_02998C80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02998C7B 11_2_02998C7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02992D90 11_2_02992D90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: String function: 0099B150 appears 34 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_004185E0 NtCreateFile, 1_2_004185E0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00418690 NtReadFile, 1_2_00418690
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00418710 NtClose, 1_2_00418710
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_004187C0 NtAllocateVirtualMemory, 1_2_004187C0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041868B NtReadFile, 1_2_0041868B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041870A NtClose, 1_2_0041870A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_004187BA NtAllocateVirtualMemory, 1_2_004187BA
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_009D98F0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk, 1_2_009D9840
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_009D9860
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk, 1_2_009D99A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_009D9910
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_009D9A00
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk, 1_2_009D9A20
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk, 1_2_009D9A50
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk, 1_2_009D95D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk, 1_2_009D9540
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_009D96E0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_009D9660
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_009D9780
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_009D97A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_009D9FE0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_009D9710
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D98A0 NtWriteVirtualMemory, 1_2_009D98A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9820 NtEnumerateKey, 1_2_009D9820
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009DB040 NtSuspendThread, 1_2_009DB040
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D99D0 NtCreateProcessEx, 1_2_009D99D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9950 NtQueueApcThread, 1_2_009D9950
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9A80 NtOpenDirectoryObject, 1_2_009D9A80
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9A10 NtQuerySection, 1_2_009D9A10
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009DA3B0 NtGetContextThread, 1_2_009DA3B0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9B00 NtSetValueKey, 1_2_009D9B00
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D95F0 NtQueryInformationFile, 1_2_009D95F0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009DAD30 NtSetContextThread, 1_2_009DAD30
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9520 NtWaitForSingleObject, 1_2_009D9520
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9560 NtWriteFile, 1_2_009D9560
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D96D0 NtCreateKey, 1_2_009D96D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D9610 NtEnumerateValueKey, 1_2_009D9610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369710 NtQueryInformationToken,LdrInitializeThunk, 11_2_03369710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369780 NtMapViewOfSection,LdrInitializeThunk, 11_2_03369780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369FE0 NtCreateMutant,LdrInitializeThunk, 11_2_03369FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_03369660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369650 NtQueryValueKey,LdrInitializeThunk, 11_2_03369650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369A50 NtCreateFile,LdrInitializeThunk, 11_2_03369A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033696E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_033696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033696D0 NtCreateKey,LdrInitializeThunk, 11_2_033696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_03369910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369540 NtReadFile,LdrInitializeThunk, 11_2_03369540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033699A0 NtCreateSection,LdrInitializeThunk, 11_2_033699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033695D0 NtClose,LdrInitializeThunk, 11_2_033695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_03369860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369840 NtDelayExecution,LdrInitializeThunk, 11_2_03369840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369730 NtQueryVirtualMemory, 11_2_03369730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0336A710 NtOpenProcessToken, 11_2_0336A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369B00 NtSetValueKey, 11_2_03369B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369770 NtSetInformationFile, 11_2_03369770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0336A770 NtOpenThread, 11_2_0336A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369760 NtOpenProcess, 11_2_03369760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0336A3B0 NtGetContextThread, 11_2_0336A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033697A0 NtUnmapViewOfSection, 11_2_033697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369A20 NtResumeThread, 11_2_03369A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369610 NtEnumerateValueKey, 11_2_03369610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369A10 NtQuerySection, 11_2_03369A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369A00 NtProtectVirtualMemory, 11_2_03369A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369670 NtQueryInformationProcess, 11_2_03369670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369A80 NtOpenDirectoryObject, 11_2_03369A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0336AD30 NtSetContextThread, 11_2_0336AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369520 NtWaitForSingleObject, 11_2_03369520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369560 NtWriteFile, 11_2_03369560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369950 NtQueueApcThread, 11_2_03369950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033695F0 NtQueryInformationFile, 11_2_033695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033699D0 NtCreateProcessEx, 11_2_033699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03369820 NtEnumerateKey, 11_2_03369820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0336B040 NtSuspendThread, 11_2_0336B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033698A0 NtWriteVirtualMemory, 11_2_033698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033698F0 NtReadVirtualMemory, 11_2_033698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A8690 NtReadFile, 11_2_029A8690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A87C0 NtAllocateVirtualMemory, 11_2_029A87C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A8710 NtClose, 11_2_029A8710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A85E0 NtCreateFile, 11_2_029A85E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A868B NtReadFile, 11_2_029A868B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A87BA NtAllocateVirtualMemory, 11_2_029A87BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A870A NtClose, 11_2_029A870A
Sample file is different than original file name gathered from version info
Source: overdue invoices.exe, 00000000.00000003.350178053.000000001AF7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
Source: overdue invoices.exe, 00000000.00000003.348670108.000000001ADE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
Source: overdue invoices.exe, 00000001.00000002.444822691.0000000000C1F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
Source: overdue invoices.exe, 00000001.00000002.445849303.0000000002AAB000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs overdue invoices.exe
Source: overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
Source: overdue invoices.exe Virustotal: Detection: 35%
Source: overdue invoices.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\overdue invoices.exe File read: C:\Users\user\Desktop\overdue invoices.exe Jump to behavior
Source: overdue invoices.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\overdue invoices.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe"
Source: C:\Users\user\Desktop\overdue invoices.exe Process created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe"
Source: C:\Users\user\Desktop\overdue invoices.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\overdue invoices.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\overdue invoices.exe Process created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe" Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\overdue invoices.exe" Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe File created: C:\Users\user\AppData\Local\Temp\nse4640.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/4@0/1
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\overdue invoices.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404275
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: overdue invoices.exe, 00000000.00000003.349969071.000000001AE60000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000000.00000003.347174579.000000001ACD0000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: overdue invoices.exe, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: svchost.pdbUGP source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041B822 push eax; ret 1_2_0041B828
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041B82B push eax; ret 1_2_0041B892
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041B88C push eax; ret 1_2_0041B892
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041608F push eax; retf 1_2_00416093
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0040DAFB push cs; ret 1_2_0040DAFC
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041544B push ecx; ret 1_2_0041544C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00415D51 push ebx; ret 1_2_00415DFE
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_004015D1 push es; retf 1_2_004015D3
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00415DEB push ebx; ret 1_2_00415DFE
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00406EF8 push ebp; ret 1_2_00406EF9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0041B7D5 push eax; ret 1_2_0041B828
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009ED0D1 push ecx; ret 1_2_009ED0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0337D0D1 push ecx; ret 11_2_0337D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0299DAFB push cs; ret 11_2_0299DAFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AC37B pushad ; iretd 11_2_029AC37C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A608F push eax; retf 11_2_029A6093
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AB88C push eax; ret 11_2_029AB892
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AB82B push eax; ret 11_2_029AB892
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AB822 push eax; ret 11_2_029AB828
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02996EF8 push ebp; ret 11_2_02996EF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029AB7D5 push eax; ret 11_2_029AB828
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A544B push ecx; ret 11_2_029A544C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029915D1 push es; retf 11_2_029915D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A5DEB push ebx; ret 11_2_029A5DFE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_029A5D51 push ebx; ret 11_2_029A5DFE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\overdue invoices.exe File created: C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\svchost.exe Process created: /c del "C:\Users\user\Desktop\overdue invoices.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: /c del "C:\Users\user\Desktop\overdue invoices.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\overdue invoices.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\overdue invoices.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\overdue invoices.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002998604 second address: 000000000299860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 000000000299899E second address: 00000000029989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_004088D0 rdtsc 1_2_004088D0
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\overdue invoices.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\overdue invoices.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000014.00000000.613974368.00000000079AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000014.00000000.589957774.0000000007905000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000003.591040239.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000-2
Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\ewyF
Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000014.00000003.591040239.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b})
Source: explorer.exe, 00000014.00000000.613974368.00000000079AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00hg
Source: explorer.exe, 00000014.00000003.601176074.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}k
Source: explorer.exe, 00000005.00000000.362046790.00000000062E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000014.00000000.613974368.00000000079AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000014.00000000.608855089.00000000066C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\F8
Source: explorer.exe, 00000014.00000003.597780988.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}fbFd
Source: explorer.exe, 00000014.00000003.601176074.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F{
Source: explorer.exe, 00000014.00000003.597780988.0000000007AA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ocalStateF
Source: explorer.exe, 00000005.00000000.362046790.00000000062E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.577024843.0000000007945000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.365496291.00000000083EB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000014.00000003.577024843.0000000007945000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000014.00000000.604273347.00000000007F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000J
Source: explorer.exe, 00000005.00000000.396732361.00000000082E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.358496489.000000000461E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000005.00000000.375653244.00000000045BE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000005.00000000.396732361.00000000082E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.383000637.0000000008430000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.371882109.000000000095C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000014.00000003.601176074.0000000007974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}s

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_004088D0 rdtsc 1_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\overdue invoices.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999080 mov eax, dword ptr fs:[00000030h] 1_2_00999080
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h] 1_2_009CF0BF
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h] 1_2_009CF0BF
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h] 1_2_009CF0BF
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h] 1_2_00A13884
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h] 1_2_00A13884
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h] 1_2_009D90AF
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009958EC mov eax, dword ptr fs:[00000030h] 1_2_009958EC
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h] 1_2_00A64015
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h] 1_2_00A64015
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h] 1_2_00A17016
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h] 1_2_00A17016
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h] 1_2_00A17016
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h] 1_2_009B0050
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h] 1_2_009B0050
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h] 1_2_00A61074
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h] 1_2_00A52073
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h] 1_2_00A169A6
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h] 1_2_009C2990
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h] 1_2_009CA185
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h] 1_2_009BC182
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h] 1_2_009C61A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h] 1_2_009C61A0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h] 1_2_00A241E8
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0099B1E1
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0099B1E1
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0099B1E1
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h] 1_2_00999100
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h] 1_2_00999100
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h] 1_2_00999100
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h] 1_2_009C513A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h] 1_2_009C513A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h] 1_2_009BB944
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h] 1_2_009BB944
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h] 1_2_0099B171
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h] 1_2_0099B171
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h] 1_2_0099C962
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h] 1_2_009CD294
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h] 1_2_009CD294
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h] 1_2_009AAAB0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h] 1_2_009AAAB0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h] 1_2_009CFAB0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h] 1_2_009C2ACB
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h] 1_2_009C2AE4
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h] 1_2_009B3A1C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h] 1_2_0099AA16
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h] 1_2_0099AA16
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h] 1_2_009A8A0A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h] 1_2_009D4A2C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h] 1_2_009D4A2C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h] 1_2_00A4B260
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h] 1_2_00A4B260
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h] 1_2_00A68A62
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D927A mov eax, dword ptr fs:[00000030h] 1_2_009D927A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h] 1_2_00A24257
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h] 1_2_00A65BA5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h] 1_2_009C2397
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h] 1_2_009CB390
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h] 1_2_009A1B8F
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h] 1_2_009A1B8F
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h] 1_2_00A4D380
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h] 1_2_00A5138A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h] 1_2_009C4BAD
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h] 1_2_009C4BAD
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h] 1_2_009C4BAD
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h] 1_2_00A153CA
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h] 1_2_00A153CA
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h] 1_2_009BDBE9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h] 1_2_00A5131B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h] 1_2_0099F358
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h] 1_2_0099DB40
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h] 1_2_009C3B7A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h] 1_2_009C3B7A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h] 1_2_0099DB60
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h] 1_2_00A68B58
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A849B mov eax, dword ptr fs:[00000030h] 1_2_009A849B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A16CF0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A16CF0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A16CF0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h] 1_2_00A514FB
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h] 1_2_00A68CD6
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h] 1_2_00A6740D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h] 1_2_00A6740D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h] 1_2_00A6740D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h] 1_2_009CBC2C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h] 1_2_009CA44B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h] 1_2_00A2C450
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h] 1_2_00A2C450
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B746D mov eax, dword ptr fs:[00000030h] 1_2_009B746D
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h] 1_2_009CFD9B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h] 1_2_009CFD9B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h] 1_2_00A605AC
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h] 1_2_00A605AC
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009C1DB5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009C1DB5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009C1DB5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h] 1_2_009C35A1
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h] 1_2_00A48DF1
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h] 1_2_009AD5E0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h] 1_2_009AD5E0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h] 1_2_00A68D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h] 1_2_00A1A537
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h] 1_2_009C4D3B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h] 1_2_009C4D3B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h] 1_2_009C4D3B
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h] 1_2_0099AD30
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h] 1_2_009B7D50
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h] 1_2_009D3D43
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h] 1_2_00A13540
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h] 1_2_009BC577
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h] 1_2_009BC577
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A60EA5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A60EA5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A60EA5
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h] 1_2_00A146A7
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h] 1_2_00A2FE87
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h] 1_2_009C36CC
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h] 1_2_009D8EC7
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00A4FEC0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h] 1_2_00A68ED6
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h] 1_2_009A76E2
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h] 1_2_009C16E0
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h] 1_2_009CA61C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h] 1_2_009CA61C
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h] 1_2_0099C600
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h] 1_2_0099C600
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h] 1_2_0099C600
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h] 1_2_00A4FE3F
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h] 1_2_009C8E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335E730 mov eax, dword ptr fs:[00000030h] 11_2_0335E730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03324F2E mov eax, dword ptr fs:[00000030h] 11_2_03324F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03324F2E mov eax, dword ptr fs:[00000030h] 11_2_03324F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E131B mov eax, dword ptr fs:[00000030h] 11_2_033E131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BFF10 mov eax, dword ptr fs:[00000030h] 11_2_033BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BFF10 mov eax, dword ptr fs:[00000030h] 11_2_033BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F070D mov eax, dword ptr fs:[00000030h] 11_2_033F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F070D mov eax, dword ptr fs:[00000030h] 11_2_033F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332DB60 mov ecx, dword ptr fs:[00000030h] 11_2_0332DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F8F6A mov eax, dword ptr fs:[00000030h] 11_2_033F8F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F8B58 mov eax, dword ptr fs:[00000030h] 11_2_033F8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332F358 mov eax, dword ptr fs:[00000030h] 11_2_0332F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332DB40 mov eax, dword ptr fs:[00000030h] 11_2_0332DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333EF40 mov eax, dword ptr fs:[00000030h] 11_2_0333EF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F5BA5 mov eax, dword ptr fs:[00000030h] 11_2_033F5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E138A mov eax, dword ptr fs:[00000030h] 11_2_033E138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03331B8F mov eax, dword ptr fs:[00000030h] 11_2_03331B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03331B8F mov eax, dword ptr fs:[00000030h] 11_2_03331B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033DD380 mov ecx, dword ptr fs:[00000030h] 11_2_033DD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033DFE3F mov eax, dword ptr fs:[00000030h] 11_2_033DFE3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332E620 mov eax, dword ptr fs:[00000030h] 11_2_0332E620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h] 11_2_0332C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h] 11_2_0332C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h] 11_2_0332C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0336927A mov eax, dword ptr fs:[00000030h] 11_2_0336927A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033DB260 mov eax, dword ptr fs:[00000030h] 11_2_033DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033DB260 mov eax, dword ptr fs:[00000030h] 11_2_033DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333766D mov eax, dword ptr fs:[00000030h] 11_2_0333766D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329240 mov eax, dword ptr fs:[00000030h] 11_2_03329240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h] 11_2_033252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h] 11_2_033F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h] 11_2_033F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h] 11_2_033F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A46A7 mov eax, dword ptr fs:[00000030h] 11_2_033A46A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335D294 mov eax, dword ptr fs:[00000030h] 11_2_0335D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335D294 mov eax, dword ptr fs:[00000030h] 11_2_0335D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BFE87 mov eax, dword ptr fs:[00000030h] 11_2_033BFE87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033376E2 mov eax, dword ptr fs:[00000030h] 11_2_033376E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033516E0 mov ecx, dword ptr fs:[00000030h] 11_2_033516E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F8ED6 mov eax, dword ptr fs:[00000030h] 11_2_033F8ED6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033536CC mov eax, dword ptr fs:[00000030h] 11_2_033536CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033DFEC0 mov eax, dword ptr fs:[00000030h] 11_2_033DFEC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332AD30 mov eax, dword ptr fs:[00000030h] 11_2_0332AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h] 11_2_03333D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F8D34 mov eax, dword ptr fs:[00000030h] 11_2_033F8D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h] 11_2_03354D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h] 11_2_03354D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h] 11_2_03354D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335513A mov eax, dword ptr fs:[00000030h] 11_2_0335513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335513A mov eax, dword ptr fs:[00000030h] 11_2_0335513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03344120 mov eax, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03344120 mov ecx, dword ptr fs:[00000030h] 11_2_03344120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329100 mov eax, dword ptr fs:[00000030h] 11_2_03329100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329100 mov eax, dword ptr fs:[00000030h] 11_2_03329100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329100 mov eax, dword ptr fs:[00000030h] 11_2_03329100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332B171 mov eax, dword ptr fs:[00000030h] 11_2_0332B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332B171 mov eax, dword ptr fs:[00000030h] 11_2_0332B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0334C577 mov eax, dword ptr fs:[00000030h] 11_2_0334C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0334C577 mov eax, dword ptr fs:[00000030h] 11_2_0334C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03347D50 mov eax, dword ptr fs:[00000030h] 11_2_03347D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0334B944 mov eax, dword ptr fs:[00000030h] 11_2_0334B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0334B944 mov eax, dword ptr fs:[00000030h] 11_2_0334B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03363D43 mov eax, dword ptr fs:[00000030h] 11_2_03363D43
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A3540 mov eax, dword ptr fs:[00000030h] 11_2_033A3540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033535A1 mov eax, dword ptr fs:[00000030h] 11_2_033535A1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335FD9B mov eax, dword ptr fs:[00000030h] 11_2_0335FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335FD9B mov eax, dword ptr fs:[00000030h] 11_2_0335FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335A185 mov eax, dword ptr fs:[00000030h] 11_2_0335A185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0334C182 mov eax, dword ptr fs:[00000030h] 11_2_0334C182
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h] 11_2_03322D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033D8DF1 mov eax, dword ptr fs:[00000030h] 11_2_033D8DF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0332B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0332B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0332B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h] 11_2_0333B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335BC2C mov eax, dword ptr fs:[00000030h] 11_2_0335BC2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F4015 mov eax, dword ptr fs:[00000030h] 11_2_033F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F4015 mov eax, dword ptr fs:[00000030h] 11_2_033F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h] 11_2_033A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h] 11_2_033A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h] 11_2_033A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F740D mov eax, dword ptr fs:[00000030h] 11_2_033F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F740D mov eax, dword ptr fs:[00000030h] 11_2_033F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F740D mov eax, dword ptr fs:[00000030h] 11_2_033F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h] 11_2_033E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F1074 mov eax, dword ptr fs:[00000030h] 11_2_033F1074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E2073 mov eax, dword ptr fs:[00000030h] 11_2_033E2073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0334746D mov eax, dword ptr fs:[00000030h] 11_2_0334746D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BC450 mov eax, dword ptr fs:[00000030h] 11_2_033BC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BC450 mov eax, dword ptr fs:[00000030h] 11_2_033BC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335F0BF mov ecx, dword ptr fs:[00000030h] 11_2_0335F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335F0BF mov eax, dword ptr fs:[00000030h] 11_2_0335F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_0335F0BF mov eax, dword ptr fs:[00000030h] 11_2_0335F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033690AF mov eax, dword ptr fs:[00000030h] 11_2_033690AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03329080 mov eax, dword ptr fs:[00000030h] 11_2_03329080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A3884 mov eax, dword ptr fs:[00000030h] 11_2_033A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033A3884 mov eax, dword ptr fs:[00000030h] 11_2_033A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033E14FB mov eax, dword ptr fs:[00000030h] 11_2_033E14FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033F8CD6 mov eax, dword ptr fs:[00000030h] 11_2_033F8CD6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h] 11_2_033BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BB8D0 mov ecx, dword ptr fs:[00000030h] 11_2_033BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h] 11_2_033BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h] 11_2_033BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h] 11_2_033BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h] 11_2_033BB8D0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\overdue invoices.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 1_2_00409B40 LdrLoadDll, 1_2_00409B40

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\overdue invoices.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\overdue invoices.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\overdue invoices.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 4768 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\overdue invoices.exe Process created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe" Jump to behavior
Source: C:\Users\user\Desktop\overdue invoices.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\overdue invoices.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.396932530.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382802561.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.392099173.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.365496291.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.586499289.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609968569.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545184848.000000000480D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545672656.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.608047781.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609403030.000000000480D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.389722019.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.357253926.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.371760370.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.420644613.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.586499289.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.606503278.0000000000749000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609968569.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545672656.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.608047781.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.606601992.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.543314235.0000000000749000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.603685695.0000000000749000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609295302.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545061952.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.585290137.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.582773403.0000000000749000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\overdue invoices.exe Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405AA7

Lowering of HIPS / PFW / Operating System Security Settings
barindex
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 00000014.00000000.607521036.0000000004851000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.586000921.0000000004851000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609558371.0000000004851000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562159 Sample: overdue invoices.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 10 other signatures 2->45 9 overdue invoices.exe 19 2->9         started        process3 dnsIp4 29 192.168.2.1 unknown unknown 9->29 27 C:\Users\user\AppData\Local\...\urfzxvl.dll, PE32 9->27 dropped 13 overdue invoices.exe 9->13         started        file5 process6 signatures7 47 Modifies the context of a thread in another process (thread injection) 13->47 49 Maps a DLL or memory area into another process 13->49 51 Queues an APC in another process (thread injection) 13->51 16 svchost.exe 13->16         started        19 explorer.exe 13->19 injected process8 signatures9 31 Self deletion via cmd delete 16->31 33 Modifies the context of a thread in another process (thread injection) 16->33 35 Maps a DLL or memory area into another process 16->35 37 Tries to detect virtualization through RDTSC time measurements 16->37 21 cmd.exe 1 16->21         started        23 explorer.exe 1 151 16->23         started        process10 process11 25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.storenight.store/rh64/ true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: malware
 low