Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
overdue invoices.exe

Overview

General Information

Sample Name:overdue invoices.exe
Analysis ID:562159
MD5:e53e6bdf25f7c3bca385a3021e373061
SHA1:3c91623488f8e645d8f55b802c78c46a86e968da
SHA256:a2e21d596824ac07de0a0835065fdf00bce5b233c537355edc49e7c10f7b8667
Tags:exeFormbookxloader
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • overdue invoices.exe (PID: 5240 cmdline: "C:\Users\user\Desktop\overdue invoices.exe" MD5: E53E6BDF25F7C3BCA385A3021E373061)
    • overdue invoices.exe (PID: 6680 cmdline: "C:\Users\user\Desktop\overdue invoices.exe" MD5: E53E6BDF25F7C3BCA385A3021E373061)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • svchost.exe (PID: 7072 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • cmd.exe (PID: 5964 cmdline: /c del "C:\Users\user\Desktop\overdue invoices.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • explorer.exe (PID: 4768 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.storenight.store/rh64/"], "decoy": ["apx-consultoria.com", "naweekjanel.quest", "redcrossedgames.com", "braswellrestaurantgroup.com", "kakazaixian.com", "northernnightsky.com", "pauschalreisen.xyz", "getloyalclients.com", "fuckinggril.xyz", "kovtor.com", "harshalkadam.com", "lihsin.com", "blablacar-official.online", "zaratepsicologia.online", "taijaswanston.com", "babytono.com", "sunnycraftsman.com", "shicharroz.com", "dollytrailer.com", "vende-digital.com", "isaacsrealestate.net", "crecerspa.com", "themeraptor.com", "ptjl888.com", "iwanster.com", "shallmavis.com", "myowncorks.com", "centscert.com", "mysalonphotography.com", "goetzerehnstiftung.net", "hsee-sl.com", "bestuk-fixedrates.com", "atspom.com", "clashofclansapk.net", "pipszone.com", "graburballz.com", "petektemizlemehizmeti.com", "balancebybita.com", "cfdphind.com", "fsg-trading.com", "christinascleaningsvcsfl.com", "textile.wiki", "446321.com", "radiomuskan.com", "crystaltopagent.net", "andrewspellman.xyz", "afroonline.net", "shurommo.com", "obesite-morlaix.com", "encodexbd.com", "novemed.com", "perfumeghor.com", "dharma33.com", "potoobrant.com", "pravozachitapotreb.store", "enrevologix.net", "animositiesscale.info", "webgem-strategies.com", "ruralspices.com", "bibipopiah.com", "livebtctrades.com", "cannabisconnectionmt.com", "ammarus.com", "buildandrise.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.overdue invoices.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.overdue invoices.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.overdue invoices.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        1.0.overdue invoices.exe.400000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.overdue invoices.exe.400000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Overview

          System Summary

          barindex
          Sigma detected: Suspect Svchost Activity
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\overdue invoices.exe" , ParentImage: C:\Users\user\Desktop\overdue invoices.exe, ParentProcessId: 6680, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7072
          Sigma detected: Suspicious Svchost Process
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\overdue invoices.exe" , ParentImage: C:\Users\user\Desktop\overdue invoices.exe, ParentProcessId: 6680, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7072
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\overdue invoices.exe" , ParentImage: C:\Users\user\Desktop\overdue invoices.exe, ParentProcessId: 6680, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7072

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.storenight.store/rh64/"], "decoy": ["apx-consultoria.com", "naweekjanel.quest", "redcrossedgames.com", "braswellrestaurantgroup.com", "kakazaixian.com", "northernnightsky.com", "pauschalreisen.xyz", "getloyalclients.com", "fuckinggril.xyz", "kovtor.com", "harshalkadam.com", "lihsin.com", "blablacar-official.online", "zaratepsicologia.online", "taijaswanston.com", "babytono.com", "sunnycraftsman.com", "shicharroz.com", "dollytrailer.com", "vende-digital.com", "isaacsrealestate.net", "crecerspa.com", "themeraptor.com", "ptjl888.com", "iwanster.com", "shallmavis.com", "myowncorks.com", "centscert.com", "mysalonphotography.com", "goetzerehnstiftung.net", "hsee-sl.com", "bestuk-fixedrates.com", "atspom.com", "clashofclansapk.net", "pipszone.com", "graburballz.com", "petektemizlemehizmeti.com", "balancebybita.com", "cfdphind.com", "fsg-trading.com", "christinascleaningsvcsfl.com", "textile.wiki", "446321.com", "radiomuskan.com", "crystaltopagent.net", "andrewspellman.xyz", "afroonline.net", "shurommo.com", "obesite-morlaix.com", "encodexbd.com", "novemed.com", "perfumeghor.com", "dharma33.com", "potoobrant.com", "pravozachitapotreb.store", "enrevologix.net", "animositiesscale.info", "webgem-strategies.com", "ruralspices.com", "bibipopiah.com", "livebtctrades.com", "cannabisconnectionmt.com", "ammarus.com", "buildandrise.com"]}
          Multi AV Scanner detection for submitted file
          Source: overdue invoices.exeVirustotal: Detection: 35%Perma Link
          Source: overdue invoices.exeReversingLabs: Detection: 25%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.storenight.store/rh64/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dllVirustotal: Detection: 19%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dllReversingLabs: Detection: 16%
          Machine Learning detection for sample
          Source: overdue invoices.exeJoe Sandbox ML: detected
          Source: 20.0.explorer.exe.88e796c.8.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.overdue invoices.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.0.explorer.exe.88e796c.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 20.0.explorer.exe.88e796c.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.overdue invoices.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.overdue invoices.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.overdue invoices.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.overdue invoices.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.overdue invoices.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.0.explorer.exe.88e796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 11.2.svchost.exe.2c16000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.overdue invoices.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 11.2.svchost.exe.383796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.overdue invoices.exe.21a0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.overdue invoices.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: overdue invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: overdue invoices.exe, 00000000.00000003.349969071.000000001AE60000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000000.00000003.347174579.000000001ACD0000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: overdue invoices.exe, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.storenight.store/rh64/
          Source: explorer.exe, 00000014.00000000.613469189.0000000007905000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.589957774.0000000007905000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.591242459.0000000007A93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.576966746.0000000007AA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.580691448.0000000007AA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.586467444.0000000007AA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.612578291.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.594365819.0000000007A93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000003.589641281.0000000007A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: overdue invoices.exe, overdue invoices.exe, 00000000.00000000.342336809.0000000000409000.00000008.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000000.00000002.353122481.0000000000409000.00000004.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000001.00000000.346609456.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: overdue invoices.exe, 00000000.00000000.342336809.0000000000409000.00000008.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000000.00000002.353122481.0000000000409000.00000004.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000001.00000000.346609456.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.389880290.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357320779.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.420908981.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.371882109.000000000095C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: overdue invoices.exe
          Executable has a suspicious name (potential lure to open the executable)
          Source: overdue invoices.exeStatic file information: Suspicious name
          Source: overdue invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_0040604C
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00404772
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041D26A
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00408C7B
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00408C80
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041A6C6
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AB090
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A620A8
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51002
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099F900
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B4120
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CEBB0
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A841F
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2581
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AD5E0
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00990D20
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A61D55
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A62EF7
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B6E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03346E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03320D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03344120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AD26A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AA6C6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_02992FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_02998C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_02998C7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_02992D90
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: String function: 0099B150 appears 34 times
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041868B NtReadFile,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041870A NtClose,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_004187BA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009DB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009DA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009DAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9560 NtWriteFile,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0336A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0336A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0336A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0336AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369560 NtWriteFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03369820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0336B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A8690 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A87C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A8710 NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A85E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A868B NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A87BA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A870A NtClose,
          Source: overdue invoices.exe, 00000000.00000003.350178053.000000001AF7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
          Source: overdue invoices.exe, 00000000.00000003.348670108.000000001ADE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
          Source: overdue invoices.exe, 00000001.00000002.444822691.0000000000C1F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
          Source: overdue invoices.exe, 00000001.00000002.445849303.0000000002AAB000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs overdue invoices.exe
          Source: overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs overdue invoices.exe
          Source: overdue invoices.exeVirustotal: Detection: 35%
          Source: overdue invoices.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\overdue invoices.exeFile read: C:\Users\user\Desktop\overdue invoices.exeJump to behavior
          Source: overdue invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\overdue invoices.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Users\user\Desktop\overdue invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbJump to behavior
          Source: C:\Users\user\Desktop\overdue invoices.exeFile created: C:\Users\user\AppData\Local\Temp\nse4640.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@0/1
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\overdue invoices.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wntdll.pdbUGP source: overdue invoices.exe, 00000000.00000003.349969071.000000001AE60000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000000.00000003.347174579.000000001ACD0000.00000004.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: overdue invoices.exe, overdue invoices.exe, 00000001.00000002.444112961.0000000000A8F000.00000040.00000800.00020000.00000000.sdmp, overdue invoices.exe, 00000001.00000002.443244927.0000000000970000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000B.00000002.626644529.0000000003300000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.442747025.0000000002F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.626897109.000000000341F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.444455468.0000000003100000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: overdue invoices.exe, 00000001.00000002.445807622.0000000002AA0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041608F push eax; retf
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0040DAFB push cs; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041544B push ecx; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00415D51 push ebx; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_004015D1 push es; retf
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00415DEB push ebx; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00406EF8 push ebp; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0041B7D5 push eax; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0337D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0299DAFB push cs; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AC37B pushad ; iretd
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A608F push eax; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AB88C push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AB82B push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AB822 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_02996EF8 push ebp; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029AB7D5 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A544B push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029915D1 push es; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A5DEB push ebx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_029A5D51 push ebx; ret
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\overdue invoices.exeFile created: C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Users\user\Desktop\overdue invoices.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\overdue invoices.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\overdue invoices.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002998604 second address: 000000000299860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 000000000299899E second address: 00000000029989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_004088D0 rdtsc
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\overdue invoices.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\overdue invoices.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000014.00000000.613974368.00000000079AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000014.00000000.589957774.0000000007905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000014.00000003.591040239.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000-2
          Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\ewyF
          Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
          Source: explorer.exe, 00000014.00000003.591040239.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b})
          Source: explorer.exe, 00000014.00000000.613974368.00000000079AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00hg
          Source: explorer.exe, 00000014.00000003.601176074.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}k
          Source: explorer.exe, 00000005.00000000.362046790.00000000062E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000014.00000000.613974368.00000000079AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000014.00000000.608855089.00000000066C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\F8
          Source: explorer.exe, 00000014.00000003.597780988.0000000007AA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
          Source: explorer.exe, 00000014.00000003.592267219.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}fbFd
          Source: explorer.exe, 00000014.00000003.601176074.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F{
          Source: explorer.exe, 00000014.00000003.597780988.0000000007AA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ocalStateF
          Source: explorer.exe, 00000005.00000000.362046790.00000000062E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000014.00000003.577024843.0000000007945000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.365496291.00000000083EB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000014.00000003.577024843.0000000007945000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000014.00000000.604273347.00000000007F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000J
          Source: explorer.exe, 00000005.00000000.396732361.00000000082E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.358496489.000000000461E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.375653244.00000000045BE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000005.00000000.396732361.00000000082E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.383000637.0000000008430000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.371882109.000000000095C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000014.00000003.601176074.0000000007974000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}s
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03324F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03324F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03331B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03331B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0336927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03354D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03344120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0334C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0334C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03347D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0334B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0334B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03363D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0334C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0332B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0333B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0334746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_0335F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_03329080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 11_2_033BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 1_2_00409B40 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\overdue invoices.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\overdue invoices.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\overdue invoices.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\overdue invoices.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: unknown protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\overdue invoices.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\overdue invoices.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\overdue invoices.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4768
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess created: C:\Users\user\Desktop\overdue invoices.exe "C:\Users\user\Desktop\overdue invoices.exe"
          Source: C:\Users\user\Desktop\overdue invoices.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\overdue invoices.exe"
          Source: explorer.exe, 00000005.00000000.396932530.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382802561.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.392099173.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.365496291.00000000083EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.586499289.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609968569.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545184848.000000000480D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545672656.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.608047781.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609403030.000000000480D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.389722019.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.357253926.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.371760370.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.420644613.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.586499289.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.606503278.0000000000749000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609968569.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545672656.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.608047781.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.606601992.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.543314235.0000000000749000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.603685695.0000000000749000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609295302.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.545061952.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.585290137.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.582773403.0000000000749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.372031934.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.357411084.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.421179202.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.390132183.0000000000EE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\overdue invoices.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
          Source: explorer.exe, 00000014.00000000.607521036.0000000004851000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.586000921.0000000004851000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.609558371.0000000004851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.overdue invoices.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.overdue invoices.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.overdue invoices.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception312
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
          Virtualization/Sandbox Evasion          		LSASS Memory241
          Security Software Discovery          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth1
          Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)312
          Process Injection          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
          Obfuscated Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Software Packing          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          File Deletion          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          overdue invoices.exe36%VirustotalBrowse
          overdue invoices.exe26%ReversingLabsWin32.Trojan.Risis
          overdue invoices.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dll19%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dll16%ReversingLabsWin32.Trojan.Sdum

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          20.0.explorer.exe.88e796c.8.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.overdue invoices.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          20.0.explorer.exe.88e796c.6.unpack100%AviraTR/Patched.Ren.GenDownload File
          20.0.explorer.exe.88e796c.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.overdue invoices.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.overdue invoices.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.overdue invoices.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.overdue invoices.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.overdue invoices.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          20.0.explorer.exe.88e796c.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          11.2.svchost.exe.2c16000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.overdue invoices.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          11.2.svchost.exe.383796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.overdue invoices.exe.21a0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.overdue invoices.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.storenight.store/rh64/3%VirustotalBrowse
          www.storenight.store/rh64/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.storenight.store/rh64/true
          • 3%, Virustotal, Browse
          • Avira URL Cloud: malware
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.389880290.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.357320779.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.420908981.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.371882109.000000000095C000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://nsis.sf.net/NSIS_Erroroverdue invoices.exe, overdue invoices.exe, 00000000.00000000.342336809.0000000000409000.00000008.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000000.00000002.353122481.0000000000409000.00000004.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000001.00000000.346609456.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_ErrorErroroverdue invoices.exe, 00000000.00000000.342336809.0000000000409000.00000008.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000000.00000002.353122481.0000000000409000.00000004.00000001.01000000.00000003.sdmp, overdue invoices.exe, 00000001.00000000.346609456.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious

                Private

                IP
                192.168.2.1

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:562159
                Start date:28.01.2022
                Start time:15:17:55
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 10m 42s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:overdue invoices.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:31
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@9/4@0/1
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 65.2% (good quality ratio 59.7%)
                • Quality average: 72.2%
                • Quality standard deviation: 31.6%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtCreateFile calls found.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtEnumerateValueKey calls found.
                • Report size getting too big, too many NtOpenFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:20:17API Interceptor133x Sleep call for process: explorer.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\8y4ukil5ffpt2o

                Download File
                Process:C:\Users\user\Desktop\overdue invoices.exe
                File Type:data
                Category:dropped
                Size (bytes):218569
                Entropy (8bit):7.994840241040685
                Encrypted:true
                SSDEEP:6144:JzkhtuwSrhQwHd/yprd9NGAOhxr9xN+abfRzyqtgR71GO:wtutltdCB/TO7PN+UfRzyx1GO
                MD5:A2B4716C51728E07EE484B239DE63E38
                SHA1:ABD1539EBA912CD443BACBDC6F4AB5B5DD9297ED
                SHA-256:97E5CD0634551C8FFBBF5CAE36DC4477AE7477EDE0B21F55887FF703C6DB5BF3
                SHA-512:92BF047D0AC3B6D8F4CC6AA48DD88A815346B9879DE26A746ED70B12C57280CBEED3CD1782BCE75CDFC5F5E11E11EFF2D14A814E8441C7A6B3A961B2A9A1B8A0
                Malicious:false
                Reputation:low
                Preview:..h._c.-...XJq.V.........S?.G._.h.....+q...K*.j.X.8f........v.....g*,.7..u|w(2.6..E....I..|.Z..[y....q ...Z.r...s1R.L.. .w....#.X....J\.....J]...5..|.I.KE~e...C...|I.@;....p...".U..v..U...In.N6vm.$..*..s...Q..f.....~>......N50`TQDm.G../. U.j.]/..Ec.-..P.R....!..M...<..>hG._.......+qf..K*.j.X.8f....K...&.5.;\.]..<.v.Y.;?........5W..u*.o...X.p......>....e.1R.L.. ..A..B...n.[..&.'b.*..i.....-N4ko.J@.V.~c[....R...|..p...)OU.~... l...n.N6vmY$..=...r.LdQ..f......>......N50.TQ.m.G../. ..j../..Ec.-..\.R.....!..M.".<..>.G._.h.....+q...K*.j.X.8f....K...&.5.;\.]..<.v.Y.;?........5W..u*.o...X.p......>....e.1R.L.. ..A..B...n.[..&.'b.*..i.....-N4ko.J@.V.~c[....R.;....p.....U.J...t...In.N6vmY$..=...s.L.Q..f......>......N50.TQ.m.G../. ..j../..Ec.-..\.R.....!..M.".<..>.G._.h.....+q...K*.j.X.8f....K...&.5.;\.]..<.v.Y.;?........5W..u*.o...X.p......>....e.1R.L.. ..A..B...n.[..&.'b.*..i.....-N4ko.J@.V.~c[....R.;....p.....U.J...t...In.N6vmY$..=...s.L.Q..f......>....

                C:\Users\user\AppData\Local\Temp\beukyly

                Download File
                Process:C:\Users\user\Desktop\overdue invoices.exe
                File Type:data
                Category:dropped
                Size (bytes):4881
                Entropy (8bit):6.16370682106836
                Encrypted:false
                SSDEEP:96:NtYlIQFqs1Tjge1qVOERr//qaQcaEi6o6qKfNfdbN9udv8N+6aym86BUecxC:wXg6Tjg6sF5/qLJ6XqKZdOdv/6y863
                MD5:EEA52E8D3BE9A6E4268857A90F646400
                SHA1:4A3F1D30AAEE7CBE4F89E8098C1120B9D79B86A9
                SHA-256:4404F10E023A62DB4445FF0BCE7118B4A8CFB4DBA282D1BF3145F07901620B91
                SHA-512:C54C0F48738D52FDD101E1B9EA98FAEDF723EAA59260DDD7F3C36AEF9C0351B50D2A6EAC5627D28FEA73B0EBD52433A45988DB25F8633B373545AFCA5218BC83
                Malicious:false
                Reputation:low
                Preview:bC@;;.........;..{..,.[..{..,....#;..'s;;;..O;(..(.+..#.&;;;..C..G(..(.+..#.;;;..k..o(..(.+..#.l;;;..S..W(..(.+..#.i;;;..{.....+?..5..4{<<.....[.._..+..?............'.?j.m5+.P....<.'.?}..'....O._.5..;;;;.?.>Tt.'(.C.(.k.(.S..(.{..(.[.(..Q.+...P....O...*..(.C.....>...<.'.;;;;...?.;;;.?..T..O.......^.}.;.....{..,.#....;...L.....;..+./j..#..j?..'....;.....*..#..'.^.}.;31%....=;;.9=;;}/;3.(H...=;;..=;;}.;3.....=;;..=;;}.;...s..{..,....#+;;;..C..'..#;.1..'.;;..'...'..#...#._./>;;.{......5..4.;...C...G....5..jJ;...C...G5=5..4{;..>C.3.(H..Z*;;.Y&((..O......(....(((..O..O;.A...;.@...*;;;...^.}?;......{..,....#s;;;..{..'..#;.1..'.;;..'...'..#...#._..?;;.{...;;;....5..4.;...{........5..jJ;...{......+.5..ZJ...{....../..5..4m<...{........5..jJ=...{....5>5..4{;..>{.31%...a;;;.\'((..O...;.........*.0(..(./(.+(..(....)((..O..O;.A...;.@...*;;;...^.}/;......#+;;;.._..'..#;.1..'.;;..'...'..#...#._.5<;;.{......5..4.;..._........5..jJ;..._....5=5..4{;..>_.3.... ;;;..'((..O..(.

                C:\Users\user\AppData\Local\Temp\nsz4670.tmp

                Download File
                Process:C:\Users\user\Desktop\overdue invoices.exe
                File Type:data
                Category:dropped
                Size (bytes):269344
                Entropy (8bit):7.673336729910951
                Encrypted:false
                SSDEEP:6144:LX6zkhtuwSrhQwHd/yprd9NGAOhxr9xN+abfRzyqtgR71GHDw:5tutltdCB/TO7PN+UfRzyx1GH
                MD5:42D350914397CBD208C16387FA16F6C8
                SHA1:48196391E4E3B34D993031BC5E2F9D41101F524A
                SHA-256:E74B59373153E10A79B5F842A6AA0A5E81C791308A2C68E4EF891A683B1E6C7C
                SHA-512:3909EDDE6DD3C9D308B3B0A52A1CB01ABCDB051F96BADAA2C69E5FF0FDDE1F8E1E7E8DA3E2014140259340E1CC7DC827AAA5CE559BBBC4A28E4E7E91FFF69FBE
                Malicious:false
                Reputation:low
                Preview:6a......,...................0...4K......P`.......a..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\nsz4671.tmp\urfzxvl.dll

                Download File
                Process:C:\Users\user\Desktop\overdue invoices.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):20992
                Entropy (8bit):5.7440203845912166
                Encrypted:false
                SSDEEP:384:96PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhbofub8:9G1albrXY0HwinMdZeUhbomb
                MD5:13A034A08CE0C32CCD5F18F71518DB26
                SHA1:DFD650892733715B3172CBBCC2456D87C0C5C6D4
                SHA-256:598452578751D1C75F6C6F945D814DBAA104FFF2BFC3D37E125CDDB0F434450F
                SHA-512:F3247A0CF9E3304E86E5FF9496FF70D10DBA2584F28651225CAD320D07821E16D952AE2D93FDF308869A1787FEBA6425C5F9D39FF1ED5814A6EA648BB9F0E25E
                Malicious:true
                Antivirus:
                • Antivirus: Virustotal, Detection: 19%, Browse
                • Antivirus: ReversingLabs, Detection: 16%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L....-.a...........!.....@...................P............................................@.........................0Q..H...xQ.......`.......................p.......................................................P..0............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                Entropy (8bit):7.930922900924507
                TrID:
                • Win32 Executable (generic) a (10002005/4) 92.16%
                • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:overdue invoices.exe
                File size:256415
                MD5:e53e6bdf25f7c3bca385a3021e373061
                SHA1:3c91623488f8e645d8f55b802c78c46a86e968da
                SHA256:a2e21d596824ac07de0a0835065fdf00bce5b233c537355edc49e7c10f7b8667
                SHA512:a54df3b4f56156b00fb1799caf305e1384b9d0f2c489f7e66baa921c70ec0ebbd251c049fa6ecea06f81f94f90cccc0154da82e4716fc58e0b528f4d766c610a
                SSDEEP:6144:owfSTftYMNfs8em/DkuBvGwsBQJb4veqz:7glTN08emod9F2qz
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                File Icon

                Icon Hash:b2a88c96b2ca6a72

                Static PE Info

                General

                Entrypoint:0x403225
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:
                Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:099c0646ea7282d232219f8807883be0

                Entrypoint Preview

                Instruction
                sub esp, 00000180h
                push ebx
                push ebp
                push esi
                xor ebx, ebx
                push edi
                mov dword ptr [esp+18h], ebx
                mov dword ptr [esp+10h], 00409128h
                xor esi, esi
                mov byte ptr [esp+14h], 00000020h
                call dword ptr [00407030h]
                push 00008001h
                call dword ptr [004070B4h]
                push ebx
                call dword ptr [0040727Ch]
                push 00000008h
                mov dword ptr [00423F58h], eax
                call 00007FD078B84290h
                mov dword ptr [00423EA4h], eax
                push ebx
                lea eax, dword ptr [esp+34h]
                push 00000160h
                push eax
                push ebx
                push 0041F450h
                call dword ptr [00407158h]
                push 004091B0h
                push 004236A0h
                call 00007FD078B83F47h
                call dword ptr [004070B0h]
                mov edi, 00429000h
                push eax
                push edi
                call 00007FD078B83F35h
                push ebx
                call dword ptr [0040710Ch]
                cmp byte ptr [00429000h], 00000022h
                mov dword ptr [00423EA0h], eax
                mov eax, edi
                jne 00007FD078B8175Ch
                mov byte ptr [esp+14h], 00000022h
                mov eax, 00429001h
                push dword ptr [esp+14h]
                push eax
                call 00007FD078B83A28h
                push eax
                call dword ptr [0040721Ch]
                mov dword ptr [esp+1Ch], eax
                jmp 00007FD078B817B5h
                cmp cl, 00000020h
                jne 00007FD078B81758h
                inc eax
                cmp byte ptr [eax], 00000020h
                je 00007FD078B8174Ch
                cmp byte ptr [eax], 00000022h
                mov byte ptr [eax+eax+00h], 00000000h

                Rich Headers

                Programming Language:
                • [EXP] VC++ 6.0 SP5 build 8804

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x2c1900x2e8dataEnglishUnited States
                RT_DIALOG0x2c4780x100dataEnglishUnited States
                RT_DIALOG0x2c5780x11cdataEnglishUnited States
                RT_DIALOG0x2c6980x60dataEnglishUnited States
                RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                Imports

                DLLImport
                KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                No network behavior found

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:15:18:52
                Start date:28/01/2022
                Path:C:\Users\user\Desktop\overdue invoices.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\overdue invoices.exe"
                Imagebase:0x400000
                File size:256415 bytes
                MD5 hash:E53E6BDF25F7C3BCA385A3021E373061
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.353489816.00000000021A0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Target ID:1
                Start time:15:18:54
                Start date:28/01/2022
                Path:C:\Users\user\Desktop\overdue invoices.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\overdue invoices.exe"
                Imagebase:0x400000
                File size:256415 bytes
                MD5 hash:E53E6BDF25F7C3BCA385A3021E373061
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.442760136.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.443132188.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.351727367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.350667334.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.443082963.00000000008B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Target ID:5
                Start time:15:18:59
                Start date:28/01/2022
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Explorer.EXE
                Imagebase:0x7ff6f22f0000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.385434941.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.399598391.000000000F71F000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                General

                Target ID:11
                Start time:15:19:38
                Start date:28/01/2022
                Path:C:\Windows\SysWOW64\svchost.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\svchost.exe
                Imagebase:0x7ff6b7590000
                File size:44520 bytes
                MD5 hash:FA6C268A5B5BDA067A901764D203D433
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.625777467.0000000002990000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.625289647.0000000002890000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.625199812.0000000000710000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                General

                Target ID:12
                Start time:15:19:41
                Start date:28/01/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:/c del "C:\Users\user\Desktop\overdue invoices.exe"
                Imagebase:0x2a0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:14
                Start time:15:19:42
                Start date:28/01/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff61de10000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:20
                Start time:15:20:16
                Start date:28/01/2022
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                Imagebase:0x7ff6f22f0000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                No disassembly