Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample name: INVOICE.exe
Analysis ID: 1520625
MD5: a008e7dd0417d4b3122820c73bf6631a
SHA1: 9085f03e0a56782d3d780c5df3079af723e6093b
SHA256: 175063717f1764ce13bf928d3f25133299ed5d61f241d63e02d29f6b2d67f4f4
Tags: exeuser-TeamDreier
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: INVOICE.exe ReversingLabs: Detection: 52%
Yara detected FormBook
Source: Yara match File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: INVOICE.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE.exe PID: 5892, type: MEMORYSTR
Source: INVOICE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: findstr.pdbGCTL source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: iexplore.pdbUGP source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb: source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean)e source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbID source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: findstr.pdb source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: iexplore.exe, iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb" source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb6U source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: .pdbHJ source: INVOICE.exe, 00000000.00000002.2536544450.000000C396523000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbDD source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb[ source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbphic Provider source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb# source: INVOICE.exe, 00000000.00000002.2553461109.00000285393F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb9 source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbh source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: System.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: iexplore.pdb source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 4x nop then mov ebx, 00000004h 0_2_027AC66D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 4x nop then mov ebx, 00000004h 5_2_036104DE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 4x nop then mov ebx, 00000004h 5_2_03A804DE
Source: C:\Windows\SysWOW64\findstr.exe Code function: 4x nop then mov ebx, 00000004h 12_2_02AD04DE
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000E.00000000.3837886482.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000E.00000000.3841643921.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.4525411811.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3841607303.0000000008870000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 0000000E.00000003.3858159922.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4530113471.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3844621759.000000000C549000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000E.00000002.4524366956.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3840035493.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000003.3851770477.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.3840035493.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4524366956.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000002.4523164286.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838930768.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3856012806.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000E.00000000.3844621759.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4530113471.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: INVOICE.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B02BB NtResumeThread, 0_2_027B02BB
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B00A9 SleepEx,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_027B00A9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0042C483 NtClose, 5_2_0042C483
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B535C0 NtCreateMutant,LdrInitializeThunk, 5_2_03B535C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52B60 NtClose,LdrInitializeThunk, 5_2_03B52B60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_03B52DF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_03B52C70
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B54340 NtSetContextThread, 5_2_03B54340
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B53090 NtSetValueKey, 5_2_03B53090
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B53010 NtOpenDirectoryObject, 5_2_03B53010
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B54650 NtSuspendThread, 5_2_03B54650
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52BA0 NtEnumerateValueKey, 5_2_03B52BA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52B80 NtQueryInformationFile, 5_2_03B52B80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52BF0 NtAllocateVirtualMemory, 5_2_03B52BF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52BE0 NtQueryValueKey, 5_2_03B52BE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52AB0 NtWaitForSingleObject, 5_2_03B52AB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52AF0 NtWriteFile, 5_2_03B52AF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52AD0 NtReadFile, 5_2_03B52AD0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B539B0 NtGetContextThread, 5_2_03B539B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52FB0 NtResumeThread, 5_2_03B52FB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52FA0 NtQuerySection, 5_2_03B52FA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52F90 NtProtectVirtualMemory, 5_2_03B52F90
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52FE0 NtCreateFile, 5_2_03B52FE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52F30 NtCreateSection, 5_2_03B52F30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52F60 NtCreateProcessEx, 5_2_03B52F60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52EA0 NtAdjustPrivilegesToken, 5_2_03B52EA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52E80 NtReadVirtualMemory, 5_2_03B52E80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52EE0 NtQueueApcThread, 5_2_03B52EE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52E30 NtWriteVirtualMemory, 5_2_03B52E30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52DB0 NtEnumerateKey, 5_2_03B52DB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52DD0 NtDelayExecution, 5_2_03B52DD0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52D30 NtUnmapViewOfSection, 5_2_03B52D30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52D10 NtMapViewOfSection, 5_2_03B52D10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B53D10 NtOpenProcessToken, 5_2_03B53D10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52D00 NtSetInformationFile, 5_2_03B52D00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B53D70 NtOpenThread, 5_2_03B53D70
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52CA0 NtQueryInformationToken, 5_2_03B52CA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52CF0 NtOpenProcess, 5_2_03B52CF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52CC0 NtQueryVirtualMemory, 5_2_03B52CC0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52C00 NtQueryInformationProcess, 5_2_03B52C00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52C60 NtCreateKey, 5_2_03B52C60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0362356A NtSetContextThread, 5_2_0362356A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03623BB6 NtResumeThread, 5_2_03623BB6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03623889 NtSuspendThread, 5_2_03623889
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A93BB6 NtResumeThread, 5_2_03A93BB6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A93889 NtSuspendThread, 5_2_03A93889
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A9356A NtSetContextThread, 5_2_03A9356A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C23090 NtSetValueKey,LdrInitializeThunk, 12_2_02C23090
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C235C0 NtCreateMutant,LdrInitializeThunk, 12_2_02C235C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22AD0 NtReadFile,LdrInitializeThunk, 12_2_02C22AD0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22B60 NtClose,LdrInitializeThunk, 12_2_02C22B60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22FE0 NtCreateFile,LdrInitializeThunk, 12_2_02C22FE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22F30 NtCreateSection,LdrInitializeThunk, 12_2_02C22F30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22CA0 NtQueryInformationToken,LdrInitializeThunk, 12_2_02C22CA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22C60 NtCreateKey,LdrInitializeThunk, 12_2_02C22C60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22C70 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_02C22C70
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22DD0 NtDelayExecution,LdrInitializeThunk, 12_2_02C22DD0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22DF0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_02C22DF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22D10 NtMapViewOfSection,LdrInitializeThunk, 12_2_02C22D10
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C24340 NtSetContextThread, 12_2_02C24340
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C23010 NtOpenDirectoryObject, 12_2_02C23010
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C24650 NtSuspendThread, 12_2_02C24650
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22AF0 NtWriteFile, 12_2_02C22AF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22AB0 NtWaitForSingleObject, 12_2_02C22AB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22BE0 NtQueryValueKey, 12_2_02C22BE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22BF0 NtAllocateVirtualMemory, 12_2_02C22BF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22B80 NtQueryInformationFile, 12_2_02C22B80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22BA0 NtEnumerateValueKey, 12_2_02C22BA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C239B0 NtGetContextThread, 12_2_02C239B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22EE0 NtQueueApcThread, 12_2_02C22EE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22E80 NtReadVirtualMemory, 12_2_02C22E80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22EA0 NtAdjustPrivilegesToken, 12_2_02C22EA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22E30 NtWriteVirtualMemory, 12_2_02C22E30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22F90 NtProtectVirtualMemory, 12_2_02C22F90
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22FA0 NtQuerySection, 12_2_02C22FA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22FB0 NtResumeThread, 12_2_02C22FB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22F60 NtCreateProcessEx, 12_2_02C22F60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22CC0 NtQueryVirtualMemory, 12_2_02C22CC0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22CF0 NtOpenProcess, 12_2_02C22CF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22C00 NtQueryInformationProcess, 12_2_02C22C00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22DB0 NtEnumerateKey, 12_2_02C22DB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C23D70 NtOpenThread, 12_2_02C23D70
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22D00 NtSetInformationFile, 12_2_02C22D00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C23D10 NtOpenProcessToken, 12_2_02C23D10
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C22D30 NtUnmapViewOfSection, 12_2_02C22D30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADF1F9 NtQueryInformationProcess,NtClose, 12_2_02ADF1F9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AE3898 NtSuspendThread, 12_2_02AE3898
Detected potential crypto function
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027BA662 0_2_027BA662
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B9A67 0_2_027B9A67
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027C14FB 0_2_027C14FB
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027BA547 0_2_027BA547
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B8D17 0_2_027B8D17
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027BA9FB 0_2_027BA9FB
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE45F0 0_2_00007FF848CE45F0
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE0909 0_2_00007FF848CE0909
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CF4A5C 0_2_00007FF848CF4A5C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE33D0 0_2_00007FF848CE33D0
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE8B30 0_2_00007FF848CE8B30
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE8B28 0_2_00007FF848CE8B28
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CEE865 0_2_00007FF848CEE865
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CF4ABF 0_2_00007FF848CF4ABF
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CF4379 0_2_00007FF848CF4379
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_00418473 5_2_00418473
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_00403060 5_2_00403060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_00401000 5_2_00401000
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040118B 5_2_0040118B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_00401190 5_2_00401190
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0042EAA3 5_2_0042EAA3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_00401300 5_2_00401300
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_004024E0 5_2_004024E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040FCAC 5_2_0040FCAC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040FCB3 5_2_0040FCB3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_00416643 5_2_00416643
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040FED3 5_2_0040FED3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040DEF7 5_2_0040DEF7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040DF49 5_2_0040DF49
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0040DF53 5_2_0040DF53
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B6739A 5_2_03B6739A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E3F0 5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE03E6 5_2_03BE03E6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD132D 5_2_03BD132D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDA352 5_2_03BDA352
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0D34C 5_2_03B0D34C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B252A0 5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2B1B0 5_2_03B2B1B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE01AA 5_2_03BE01AA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD81CC 5_2_03BD81CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBA118 5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B10100 5_2_03B10100
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BEB16B 5_2_03BEB16B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B5516C 5_2_03B5516C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD70E9 5_2_03BD70E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDF0E0 5_2_03BDF0E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF0CC 5_2_03BCF0CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDF7B0 5_2_03BDF7B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1C7C0 5_2_03B1C7C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B44750 5_2_03B44750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3C6E0 5_2_03B3C6E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD16CC 5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBD5B0 5_2_03BBD5B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE0591 5_2_03BE0591
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20535 5_2_03B20535
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD7571 5_2_03BD7571
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCE4F6 5_2_03BCE4F6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDF43F 5_2_03BDF43F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B11460 5_2_03B11460
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD2446 5_2_03BD2446
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3FB80 5_2_03B3FB80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B5DBF9 5_2_03B5DBF9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD6BD7 5_2_03BD6BD7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDFB76 5_2_03BDFB76
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDAB40 5_2_03BDAB40
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B65AA0 5_2_03B65AA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBDAAC 5_2_03BBDAAC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1EA80 5_2_03B1EA80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCDAC6 5_2_03BCDAC6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B93A6C 5_2_03B93A6C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDFA49 5_2_03BDFA49
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD7A46 5_2_03BD7A46
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B229A0 5_2_03B229A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BEA9A6 5_2_03BEA9A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B36962 5_2_03B36962
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B29950 5_2_03B29950
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B950 5_2_03B3B950
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B068B8 5_2_03B068B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4E8F0 5_2_03B4E8F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B238E0 5_2_03B238E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8D800 5_2_03B8D800
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B22840 5_2_03B22840
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2A840 5_2_03B2A840
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDFFB1 5_2_03BDFFB1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21F92 5_2_03B21F92
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2CFE0 5_2_03B2CFE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B12FC8 5_2_03B12FC8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B40F30 5_2_03B40F30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B62F28 5_2_03B62F28
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDFF09 5_2_03BDFF09
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B94F40 5_2_03B94F40
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B29EB0 5_2_03B29EB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B32E90 5_2_03B32E90
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDCE93 5_2_03BDCE93
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDEEDB 5_2_03BDEEDB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDEE26 5_2_03BDEE26
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20E59 5_2_03B20E59
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B38DBF 5_2_03B38DBF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1ADE0 5_2_03B1ADE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3FDC0 5_2_03B3FDC0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2AD00 5_2_03B2AD00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD7D73 5_2_03BD7D73
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD1D5A 5_2_03BD1D5A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B23D40 5_2_03B23D40
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0CB5 5_2_03BC0CB5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B10CF2 5_2_03B10CF2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDFCF2 5_2_03BDFCF2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B99C32 5_2_03B99C32
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20C00 5_2_03B20C00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0362536C 5_2_0362536C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0361E3B8 5_2_0361E3B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0361E4D3 5_2_0361E4D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0361CB88 5_2_0361CB88
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0361E86C 5_2_0361E86C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_0361D8D8 5_2_0361D8D8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A8E3B8 5_2_03A8E3B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A8CB88 5_2_03A8CB88
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A9536C 5_2_03A9536C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A8D8D8 5_2_03A8D8D8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A8E86C 5_2_03A8E86C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03A8E4D3 5_2_03A8E4D3
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C0B2C0 12_2_02C0B2C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF52A0 12_2_02BF52A0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C912ED 12_2_02C912ED
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C90274 12_2_02C90274
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CB03E6 12_2_02CB03E6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BFE3F0 12_2_02BFE3F0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C3739A 12_2_02C3739A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAA352 12_2_02CAA352
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA132D 12_2_02CA132D
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BDD34C 12_2_02BDD34C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C9F0CC 12_2_02C9F0CC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA70E9 12_2_02CA70E9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAF0E0 12_2_02CAF0E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF70C0 12_2_02BF70C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA81CC 12_2_02CA81CC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BFB1B0 12_2_02BFB1B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CB01AA 12_2_02CB01AA
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C78158 12_2_02C78158
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CBB16B 12_2_02CBB16B
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C2516C 12_2_02C2516C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BE0100 12_2_02BE0100
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BDF172 12_2_02BDF172
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C8A118 12_2_02C8A118
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA16CC 12_2_02CA16CC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C0C6E0 12_2_02C0C6E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAF7B0 12_2_02CAF7B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BEC7C0 12_2_02BEC7C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C14750 12_2_02C14750
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF0770 12_2_02BF0770
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C9E4F6 12_2_02C9E4F6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA2446 12_2_02CA2446
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BE1460 12_2_02BE1460
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAF43F 12_2_02CAF43F
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CB0591 12_2_02CB0591
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C8D5B0 12_2_02C8D5B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF0535 12_2_02BF0535
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA7571 12_2_02CA7571
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C9DAC6 12_2_02C9DAC6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BEEA80 12_2_02BEEA80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C35AA0 12_2_02C35AA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C8DAAC 12_2_02C8DAAC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAFA49 12_2_02CAFA49
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA7A46 12_2_02CA7A46
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C63A6C 12_2_02C63A6C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA6BD7 12_2_02CA6BD7
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C65BF0 12_2_02C65BF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C2DBF9 12_2_02C2DBF9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C0FB80 12_2_02C0FB80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAAB40 12_2_02CAAB40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAFB76 12_2_02CAFB76
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BD68B8 12_2_02BD68B8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C1E8F0 12_2_02C1E8F0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF38E0 12_2_02BF38E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C5D800 12_2_02C5D800
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BFA840 12_2_02BFA840
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF2840 12_2_02BF2840
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF29A0 12_2_02BF29A0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CBA9A6 12_2_02CBA9A6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C0B950 12_2_02C0B950
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C06962 12_2_02C06962
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF9950 12_2_02BF9950
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF9EB0 12_2_02BF9EB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAEEDB 12_2_02CAEEDB
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C02E90 12_2_02C02E90
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CACE93 12_2_02CACE93
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF0E59 12_2_02BF0E59
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAEE26 12_2_02CAEE26
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF1F92 12_2_02BF1F92
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BFCFE0 12_2_02BFCFE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BE2FC8 12_2_02BE2FC8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAFFB1 12_2_02CAFFB1
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C64F40 12_2_02C64F40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAFF09 12_2_02CAFF09
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C32F28 12_2_02C32F28
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C10F30 12_2_02C10F30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CAFCF2 12_2_02CAFCF2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BE0CF2 12_2_02BE0CF2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C90CB5 12_2_02C90CB5
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF0C00 12_2_02BF0C00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C69C32 12_2_02C69C32
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C0FDC0 12_2_02C0FDC0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BEADE0 12_2_02BEADE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02C08DBF 12_2_02C08DBF
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA1D5A 12_2_02CA1D5A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02CA7D73 12_2_02CA7D73
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BFAD00 12_2_02BFAD00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BF3D40 12_2_02BF3D40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADF1F9 12_2_02ADF1F9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADE3B8 12_2_02ADE3B8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADCB88 12_2_02ADCB88
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AE536C 12_2_02AE536C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADD8D8 12_2_02ADD8D8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADE86C 12_2_02ADE86C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADE4D3 12_2_02ADE4D3
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 03B0B970 appears 268 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 03B8EA12 appears 86 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 03B9F290 appears 105 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 03B67E54 appears 89 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: String function: 03B55130 appears 36 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 02C6F290 appears 105 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 02C25130 appears 36 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 02C5EA12 appears 86 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 02C37E54 appears 96 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 02BDB970 appears 268 times
One or more processes crash
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5892 -s 1088
PE file does not import any functions
Source: INVOICE.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: INVOICE.exe, 00000000.00000000.2056775843.000002851ED62000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTransponer.exe6 vs INVOICE.exe
Source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXED vs INVOICE.exe
Source: INVOICE.exe Binary or memory string: OriginalFilenameTransponer.exe6 vs INVOICE.exe
Yara signature match
Source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb:
Source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@14/5@0/0
Source: C:\Users\user\Desktop\INVOICE.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5892
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0360b571-d98e-4180-b8ae-bcd426970e44 Jump to behavior
Source: INVOICE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: INVOICE.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\INVOICE.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: INVOICE.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\INVOICE.exe File read: C:\Users\user\Desktop\INVOICE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5892 -s 1088
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: INVOICE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: INVOICE.exe Static file information: File size 3255839 > 1048576
Source: INVOICE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: findstr.pdbGCTL source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: iexplore.pdbUGP source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb: source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean)e source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbID source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: findstr.pdb source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: iexplore.exe, iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb" source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb6U source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: .pdbHJ source: INVOICE.exe, 00000000.00000002.2536544450.000000C396523000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbDD source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdb[ source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbphic Provider source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb# source: INVOICE.exe, 00000000.00000002.2553461109.00000285393F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb9 source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbh source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: System.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source: Binary string: iexplore.pdb source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B7A1F push cs; iretd 0_2_027B7A51
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027C1331 push eax; ret 0_2_027C1333
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B6B1E push edi; ret 0_2_027B6B26
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027BCBF7 push edx; iretd 0_2_027BCC4C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B77D7 push esi; retf 0_2_027B7878
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B9057 push es; iretd 0_2_027B905D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B9037 push edx; retf 0_2_027B904C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B088B push 78AE3EF4h; ret 0_2_027B0898
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B3560 pushad ; retf 0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B3567 pushad ; retf 0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B3538 pushad ; retf 0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B35D2 pushad ; retf 0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_027B95D0 push ebx; retf 0_2_027B95D1
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE6FB0 push esp; retf 5F4Ch 0_2_00007FF848CF5BC9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848CE00BD pushad ; iretd 0_2_00007FF848CE00C1
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00007FF848DB026B push esp; retf 4810h 0_2_00007FF848DB0312
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02BE09AD push ecx; mov dword ptr [esp], ecx 12_2_02BE09B6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AE0A68 push edx; iretd 12_2_02AE0ABD
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AD73A9 pushad ; retf 12_2_02AD7439
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AD73D8 pushad ; retf 12_2_02AD7439
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AD73D1 pushad ; retf 12_2_02AD7439
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADB890 push cs; iretd 12_2_02ADB8C2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AE51A2 push eax; ret 12_2_02AE51A4
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADA98F push edi; ret 12_2_02ADA997
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADCEA8 push edx; retf 12_2_02ADCEBD
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AD46FC push 78AE3EF4h; ret 12_2_02AD4709
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADCEC8 push es; iretd 12_2_02ADCECE
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADB648 push esi; retf 12_2_02ADB6E9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02ADD441 push ebx; retf 12_2_02ADD442
Source: C:\Windows\SysWOW64\findstr.exe Code function: 12_2_02AD7443 pushad ; retf 12_2_02AD7439

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\findstr.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: INVOICE.exe PID: 5892, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: 2851F090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: 285389B0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8D1C0 rdtsc 5_2_03B8D1C0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\findstr.exe Window / User API: threadDelayed 9722 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 872 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 879 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\findstr.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084 Thread sleep count: 252 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084 Thread sleep time: -504000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084 Thread sleep count: 9722 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084 Thread sleep time: -19444000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\findstr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe Last function: Thread delayed
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000E.00000000.3842035324.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 0000000E.00000000.3842035324.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: explorer.exe, 0000000E.00000000.3838930768.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000E.00000000.3842035324.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.3840035493.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: findstr.exe, 0000000C.00000002.3915719106.000000000275E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000E.00000000.3838930768.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: explorer.exe, 0000000E.00000000.3838930768.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\SysWOW64\findstr.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\INVOICE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8D1C0 rdtsc 5_2_03B8D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_004175F3 LdrLoadDll, 5_2_004175F3
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B433A0 mov eax, dword ptr fs:[00000030h] 5_2_03B433A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B433A0 mov eax, dword ptr fs:[00000030h] 5_2_03B433A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B333A5 mov eax, dword ptr fs:[00000030h] 5_2_03B333A5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE539D mov eax, dword ptr fs:[00000030h] 5_2_03BE539D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B08397 mov eax, dword ptr fs:[00000030h] 5_2_03B08397
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B08397 mov eax, dword ptr fs:[00000030h] 5_2_03B08397
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B08397 mov eax, dword ptr fs:[00000030h] 5_2_03B08397
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B6739A mov eax, dword ptr fs:[00000030h] 5_2_03B6739A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B6739A mov eax, dword ptr fs:[00000030h] 5_2_03B6739A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0E388 mov eax, dword ptr fs:[00000030h] 5_2_03B0E388
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0E388 mov eax, dword ptr fs:[00000030h] 5_2_03B0E388
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0E388 mov eax, dword ptr fs:[00000030h] 5_2_03B0E388
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3438F mov eax, dword ptr fs:[00000030h] 5_2_03B3438F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3438F mov eax, dword ptr fs:[00000030h] 5_2_03B3438F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE53FC mov eax, dword ptr fs:[00000030h] 5_2_03BE53FC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E3F0 mov eax, dword ptr fs:[00000030h] 5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E3F0 mov eax, dword ptr fs:[00000030h] 5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E3F0 mov eax, dword ptr fs:[00000030h] 5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B463FF mov eax, dword ptr fs:[00000030h] 5_2_03B463FF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF3E6 mov eax, dword ptr fs:[00000030h] 5_2_03BCF3E6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h] 5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCB3D0 mov ecx, dword ptr fs:[00000030h] 5_2_03BCB3D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCC3CD mov eax, dword ptr fs:[00000030h] 5_2_03BCC3CD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h] 5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h] 5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h] 5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h] 5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B07330 mov eax, dword ptr fs:[00000030h] 5_2_03B07330
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD132D mov eax, dword ptr fs:[00000030h] 5_2_03BD132D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD132D mov eax, dword ptr fs:[00000030h] 5_2_03BD132D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3F32A mov eax, dword ptr fs:[00000030h] 5_2_03B3F32A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0C310 mov ecx, dword ptr fs:[00000030h] 5_2_03B0C310
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B30310 mov ecx, dword ptr fs:[00000030h] 5_2_03B30310
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9930B mov eax, dword ptr fs:[00000030h] 5_2_03B9930B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9930B mov eax, dword ptr fs:[00000030h] 5_2_03B9930B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9930B mov eax, dword ptr fs:[00000030h] 5_2_03B9930B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4A30B mov eax, dword ptr fs:[00000030h] 5_2_03B4A30B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4A30B mov eax, dword ptr fs:[00000030h] 5_2_03B4A30B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4A30B mov eax, dword ptr fs:[00000030h] 5_2_03B4A30B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B17370 mov eax, dword ptr fs:[00000030h] 5_2_03B17370
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B17370 mov eax, dword ptr fs:[00000030h] 5_2_03B17370
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B17370 mov eax, dword ptr fs:[00000030h] 5_2_03B17370
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BB437C mov eax, dword ptr fs:[00000030h] 5_2_03BB437C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF367 mov eax, dword ptr fs:[00000030h] 5_2_03BCF367
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09353 mov eax, dword ptr fs:[00000030h] 5_2_03B09353
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09353 mov eax, dword ptr fs:[00000030h] 5_2_03B09353
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h] 5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h] 5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h] 5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9035C mov ecx, dword ptr fs:[00000030h] 5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h] 5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h] 5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDA352 mov eax, dword ptr fs:[00000030h] 5_2_03BDA352
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h] 5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0D34C mov eax, dword ptr fs:[00000030h] 5_2_03B0D34C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0D34C mov eax, dword ptr fs:[00000030h] 5_2_03B0D34C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE5341 mov eax, dword ptr fs:[00000030h] 5_2_03BE5341
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B992BC mov eax, dword ptr fs:[00000030h] 5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B992BC mov eax, dword ptr fs:[00000030h] 5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B992BC mov ecx, dword ptr fs:[00000030h] 5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B992BC mov ecx, dword ptr fs:[00000030h] 5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B202A0 mov eax, dword ptr fs:[00000030h] 5_2_03B202A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B202A0 mov eax, dword ptr fs:[00000030h] 5_2_03B202A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h] 5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h] 5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h] 5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h] 5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA72A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA72A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA72A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA72A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA62A0 mov ecx, dword ptr fs:[00000030h] 5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h] 5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h] 5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h] 5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h] 5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h] 5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4329E mov eax, dword ptr fs:[00000030h] 5_2_03B4329E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4329E mov eax, dword ptr fs:[00000030h] 5_2_03B4329E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4E284 mov eax, dword ptr fs:[00000030h] 5_2_03B4E284
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4E284 mov eax, dword ptr fs:[00000030h] 5_2_03B4E284
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B90283 mov eax, dword ptr fs:[00000030h] 5_2_03B90283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B90283 mov eax, dword ptr fs:[00000030h] 5_2_03B90283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B90283 mov eax, dword ptr fs:[00000030h] 5_2_03B90283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE5283 mov eax, dword ptr fs:[00000030h] 5_2_03BE5283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF2F8 mov eax, dword ptr fs:[00000030h] 5_2_03BCF2F8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B092FF mov eax, dword ptr fs:[00000030h] 5_2_03B092FF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h] 5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B202E1 mov eax, dword ptr fs:[00000030h] 5_2_03B202E1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B202E1 mov eax, dword ptr fs:[00000030h] 5_2_03B202E1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B202E1 mov eax, dword ptr fs:[00000030h] 5_2_03B202E1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE52E2 mov eax, dword ptr fs:[00000030h] 5_2_03BE52E2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3F2D0 mov eax, dword ptr fs:[00000030h] 5_2_03B3F2D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3F2D0 mov eax, dword ptr fs:[00000030h] 5_2_03B3F2D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B2D3 mov eax, dword ptr fs:[00000030h] 5_2_03B0B2D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B2D3 mov eax, dword ptr fs:[00000030h] 5_2_03B0B2D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B2D3 mov eax, dword ptr fs:[00000030h] 5_2_03B0B2D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h] 5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h] 5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h] 5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h] 5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h] 5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h] 5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B192C5 mov eax, dword ptr fs:[00000030h] 5_2_03B192C5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B192C5 mov eax, dword ptr fs:[00000030h] 5_2_03B192C5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0823B mov eax, dword ptr fs:[00000030h] 5_2_03B0823B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE5227 mov eax, dword ptr fs:[00000030h] 5_2_03BE5227
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B47208 mov eax, dword ptr fs:[00000030h] 5_2_03B47208
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B47208 mov eax, dword ptr fs:[00000030h] 5_2_03B47208
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B51270 mov eax, dword ptr fs:[00000030h] 5_2_03B51270
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B51270 mov eax, dword ptr fs:[00000030h] 5_2_03B51270
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B39274 mov eax, dword ptr fs:[00000030h] 5_2_03B39274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h] 5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B14260 mov eax, dword ptr fs:[00000030h] 5_2_03B14260
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B14260 mov eax, dword ptr fs:[00000030h] 5_2_03B14260
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B14260 mov eax, dword ptr fs:[00000030h] 5_2_03B14260
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDD26B mov eax, dword ptr fs:[00000030h] 5_2_03BDD26B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BDD26B mov eax, dword ptr fs:[00000030h] 5_2_03BDD26B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0826B mov eax, dword ptr fs:[00000030h] 5_2_03B0826B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0A250 mov eax, dword ptr fs:[00000030h] 5_2_03B0A250
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B16259 mov eax, dword ptr fs:[00000030h] 5_2_03B16259
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCB256 mov eax, dword ptr fs:[00000030h] 5_2_03BCB256
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCB256 mov eax, dword ptr fs:[00000030h] 5_2_03BCB256
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09240 mov eax, dword ptr fs:[00000030h] 5_2_03B09240
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09240 mov eax, dword ptr fs:[00000030h] 5_2_03B09240
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4724D mov eax, dword ptr fs:[00000030h] 5_2_03B4724D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2B1B0 mov eax, dword ptr fs:[00000030h] 5_2_03B2B1B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h] 5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h] 5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h] 5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h] 5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h] 5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h] 5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h] 5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h] 5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B67190 mov eax, dword ptr fs:[00000030h] 5_2_03B67190
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0A197 mov eax, dword ptr fs:[00000030h] 5_2_03B0A197
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0A197 mov eax, dword ptr fs:[00000030h] 5_2_03B0A197
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0A197 mov eax, dword ptr fs:[00000030h] 5_2_03B0A197
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B50185 mov eax, dword ptr fs:[00000030h] 5_2_03B50185
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCC188 mov eax, dword ptr fs:[00000030h] 5_2_03BCC188
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCC188 mov eax, dword ptr fs:[00000030h] 5_2_03BCC188
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B401F8 mov eax, dword ptr fs:[00000030h] 5_2_03B401F8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE61E5 mov eax, dword ptr fs:[00000030h] 5_2_03BE61E5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h] 5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B151ED mov eax, dword ptr fs:[00000030h] 5_2_03B151ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4D1D0 mov eax, dword ptr fs:[00000030h] 5_2_03B4D1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4D1D0 mov ecx, dword ptr fs:[00000030h] 5_2_03B4D1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h] 5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h] 5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E1D0 mov ecx, dword ptr fs:[00000030h] 5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h] 5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h] 5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE51CB mov eax, dword ptr fs:[00000030h] 5_2_03BE51CB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD61C3 mov eax, dword ptr fs:[00000030h] 5_2_03BD61C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD61C3 mov eax, dword ptr fs:[00000030h] 5_2_03BD61C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B11131 mov eax, dword ptr fs:[00000030h] 5_2_03B11131
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B11131 mov eax, dword ptr fs:[00000030h] 5_2_03B11131
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h] 5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h] 5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h] 5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h] 5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B40124 mov eax, dword ptr fs:[00000030h] 5_2_03B40124
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBA118 mov ecx, dword ptr fs:[00000030h] 5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBA118 mov eax, dword ptr fs:[00000030h] 5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBA118 mov eax, dword ptr fs:[00000030h] 5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BBA118 mov eax, dword ptr fs:[00000030h] 5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD0115 mov eax, dword ptr fs:[00000030h] 5_2_03BD0115
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h] 5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA9179 mov eax, dword ptr fs:[00000030h] 5_2_03BA9179
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B17152 mov eax, dword ptr fs:[00000030h] 5_2_03B17152
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B16154 mov eax, dword ptr fs:[00000030h] 5_2_03B16154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B16154 mov eax, dword ptr fs:[00000030h] 5_2_03B16154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0C156 mov eax, dword ptr fs:[00000030h] 5_2_03B0C156
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE5152 mov eax, dword ptr fs:[00000030h] 5_2_03BE5152
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h] 5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h] 5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h] 5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h] 5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h] 5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h] 5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA4144 mov ecx, dword ptr fs:[00000030h] 5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h] 5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h] 5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD60B8 mov eax, dword ptr fs:[00000030h] 5_2_03BD60B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD60B8 mov ecx, dword ptr fs:[00000030h] 5_2_03BD60B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3D090 mov eax, dword ptr fs:[00000030h] 5_2_03B3D090
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3D090 mov eax, dword ptr fs:[00000030h] 5_2_03B3D090
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B15096 mov eax, dword ptr fs:[00000030h] 5_2_03B15096
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4909C mov eax, dword ptr fs:[00000030h] 5_2_03B4909C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1208A mov eax, dword ptr fs:[00000030h] 5_2_03B1208A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0D08D mov eax, dword ptr fs:[00000030h] 5_2_03B0D08D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0C0F0 mov eax, dword ptr fs:[00000030h] 5_2_03B0C0F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B520F0 mov ecx, dword ptr fs:[00000030h] 5_2_03B520F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_03B0A0E3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B350E4 mov eax, dword ptr fs:[00000030h] 5_2_03B350E4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B350E4 mov ecx, dword ptr fs:[00000030h] 5_2_03B350E4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B180E9 mov eax, dword ptr fs:[00000030h] 5_2_03B180E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B920DE mov eax, dword ptr fs:[00000030h] 5_2_03B920DE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE50D9 mov eax, dword ptr fs:[00000030h] 5_2_03BE50D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B390DB mov eax, dword ptr fs:[00000030h] 5_2_03B390DB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h] 5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8D0C0 mov eax, dword ptr fs:[00000030h] 5_2_03B8D0C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8D0C0 mov eax, dword ptr fs:[00000030h] 5_2_03B8D0C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h] 5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h] 5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h] 5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h] 5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0A020 mov eax, dword ptr fs:[00000030h] 5_2_03B0A020
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0C020 mov eax, dword ptr fs:[00000030h] 5_2_03B0C020
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h] 5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h] 5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h] 5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h] 5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B94000 mov ecx, dword ptr fs:[00000030h] 5_2_03B94000
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3C073 mov eax, dword ptr fs:[00000030h] 5_2_03B3C073
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov ecx, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h] 5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8D070 mov ecx, dword ptr fs:[00000030h] 5_2_03B8D070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9106E mov eax, dword ptr fs:[00000030h] 5_2_03B9106E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE5060 mov eax, dword ptr fs:[00000030h] 5_2_03BE5060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B12050 mov eax, dword ptr fs:[00000030h] 5_2_03B12050
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3B052 mov eax, dword ptr fs:[00000030h] 5_2_03B3B052
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BB705E mov ebx, dword ptr fs:[00000030h] 5_2_03BB705E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BB705E mov eax, dword ptr fs:[00000030h] 5_2_03BB705E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3D7B0 mov eax, dword ptr fs:[00000030h] 5_2_03B3D7B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE37B6 mov eax, dword ptr fs:[00000030h] 5_2_03BE37B6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h] 5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B997A9 mov eax, dword ptr fs:[00000030h] 5_2_03B997A9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h] 5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h] 5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h] 5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h] 5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h] 5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B107AF mov eax, dword ptr fs:[00000030h] 5_2_03B107AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF78A mov eax, dword ptr fs:[00000030h] 5_2_03BCF78A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B147FB mov eax, dword ptr fs:[00000030h] 5_2_03B147FB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B147FB mov eax, dword ptr fs:[00000030h] 5_2_03B147FB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1D7E0 mov ecx, dword ptr fs:[00000030h] 5_2_03B1D7E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B327ED mov eax, dword ptr fs:[00000030h] 5_2_03B327ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B327ED mov eax, dword ptr fs:[00000030h] 5_2_03B327ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B327ED mov eax, dword ptr fs:[00000030h] 5_2_03B327ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1C7C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1C7C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B157C0 mov eax, dword ptr fs:[00000030h] 5_2_03B157C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B157C0 mov eax, dword ptr fs:[00000030h] 5_2_03B157C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B157C0 mov eax, dword ptr fs:[00000030h] 5_2_03B157C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B907C3 mov eax, dword ptr fs:[00000030h] 5_2_03B907C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09730 mov eax, dword ptr fs:[00000030h] 5_2_03B09730
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B09730 mov eax, dword ptr fs:[00000030h] 5_2_03B09730
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B45734 mov eax, dword ptr fs:[00000030h] 5_2_03B45734
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h] 5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h] 5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h] 5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h] 5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4273C mov eax, dword ptr fs:[00000030h] 5_2_03B4273C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4273C mov ecx, dword ptr fs:[00000030h] 5_2_03B4273C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4273C mov eax, dword ptr fs:[00000030h] 5_2_03B4273C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8C730 mov eax, dword ptr fs:[00000030h] 5_2_03B8C730
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1973A mov eax, dword ptr fs:[00000030h] 5_2_03B1973A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1973A mov eax, dword ptr fs:[00000030h] 5_2_03B1973A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B13720 mov eax, dword ptr fs:[00000030h] 5_2_03B13720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2F720 mov eax, dword ptr fs:[00000030h] 5_2_03B2F720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2F720 mov eax, dword ptr fs:[00000030h] 5_2_03B2F720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2F720 mov eax, dword ptr fs:[00000030h] 5_2_03B2F720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF72E mov eax, dword ptr fs:[00000030h] 5_2_03BCF72E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4C720 mov eax, dword ptr fs:[00000030h] 5_2_03B4C720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4C720 mov eax, dword ptr fs:[00000030h] 5_2_03B4C720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD972B mov eax, dword ptr fs:[00000030h] 5_2_03BD972B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B10710 mov eax, dword ptr fs:[00000030h] 5_2_03B10710
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B40710 mov eax, dword ptr fs:[00000030h] 5_2_03B40710
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4F71F mov eax, dword ptr fs:[00000030h] 5_2_03B4F71F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4F71F mov eax, dword ptr fs:[00000030h] 5_2_03B4F71F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B17703 mov eax, dword ptr fs:[00000030h] 5_2_03B17703
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B15702 mov eax, dword ptr fs:[00000030h] 5_2_03B15702
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B15702 mov eax, dword ptr fs:[00000030h] 5_2_03B15702
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4C700 mov eax, dword ptr fs:[00000030h] 5_2_03B4C700
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B18770 mov eax, dword ptr fs:[00000030h] 5_2_03B18770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h] 5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h] 5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h] 5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h] 5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h] 5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B10750 mov eax, dword ptr fs:[00000030h] 5_2_03B10750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52750 mov eax, dword ptr fs:[00000030h] 5_2_03B52750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52750 mov eax, dword ptr fs:[00000030h] 5_2_03B52750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B94755 mov eax, dword ptr fs:[00000030h] 5_2_03B94755
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B23740 mov eax, dword ptr fs:[00000030h] 5_2_03B23740
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B23740 mov eax, dword ptr fs:[00000030h] 5_2_03B23740
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B23740 mov eax, dword ptr fs:[00000030h] 5_2_03B23740
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE3749 mov eax, dword ptr fs:[00000030h] 5_2_03BE3749
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4674D mov esi, dword ptr fs:[00000030h] 5_2_03B4674D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4674D mov eax, dword ptr fs:[00000030h] 5_2_03B4674D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4674D mov eax, dword ptr fs:[00000030h] 5_2_03B4674D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B076B2 mov eax, dword ptr fs:[00000030h] 5_2_03B076B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B076B2 mov eax, dword ptr fs:[00000030h] 5_2_03B076B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B076B2 mov eax, dword ptr fs:[00000030h] 5_2_03B076B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B466B0 mov eax, dword ptr fs:[00000030h] 5_2_03B466B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4C6A6 mov eax, dword ptr fs:[00000030h] 5_2_03B4C6A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0D6AA mov eax, dword ptr fs:[00000030h] 5_2_03B0D6AA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0D6AA mov eax, dword ptr fs:[00000030h] 5_2_03B0D6AA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B14690 mov eax, dword ptr fs:[00000030h] 5_2_03B14690
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B14690 mov eax, dword ptr fs:[00000030h] 5_2_03B14690
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h] 5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h] 5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h] 5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h] 5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B906F1 mov eax, dword ptr fs:[00000030h] 5_2_03B906F1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B906F1 mov eax, dword ptr fs:[00000030h] 5_2_03B906F1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h] 5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h] 5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h] 5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h] 5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCD6F0 mov eax, dword ptr fs:[00000030h] 5_2_03BCD6F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3D6E0 mov eax, dword ptr fs:[00000030h] 5_2_03B3D6E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B3D6E0 mov eax, dword ptr fs:[00000030h] 5_2_03B3D6E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h] 5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h] 5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h] 5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h] 5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h] 5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h] 5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B436EF mov eax, dword ptr fs:[00000030h] 5_2_03B436EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h] 5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h] 5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h] 5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h] 5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h] 5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4A6C7 mov ebx, dword ptr fs:[00000030h] 5_2_03B4A6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4A6C7 mov eax, dword ptr fs:[00000030h] 5_2_03B4A6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BCF6C7 mov eax, dword ptr fs:[00000030h] 5_2_03BCF6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B416CF mov eax, dword ptr fs:[00000030h] 5_2_03B416CF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03BE5636 mov eax, dword ptr fs:[00000030h] 5_2_03BE5636
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B46620 mov eax, dword ptr fs:[00000030h] 5_2_03B46620
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B48620 mov eax, dword ptr fs:[00000030h] 5_2_03B48620
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2E627 mov eax, dword ptr fs:[00000030h] 5_2_03B2E627
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h] 5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B1262C mov eax, dword ptr fs:[00000030h] 5_2_03B1262C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B13616 mov eax, dword ptr fs:[00000030h] 5_2_03B13616
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B13616 mov eax, dword ptr fs:[00000030h] 5_2_03B13616
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B52619 mov eax, dword ptr fs:[00000030h] 5_2_03B52619
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B8E609 mov eax, dword ptr fs:[00000030h] 5_2_03B8E609
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B41607 mov eax, dword ptr fs:[00000030h] 5_2_03B41607
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B4F603 mov eax, dword ptr fs:[00000030h] 5_2_03B4F603
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h] 5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h] 5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h] 5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h] 5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h] 5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h] 5_2_03B2260B
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: INVOICE.exe, ---.cs Reference to suspicious API methods: LoadLibrary(_FDCF_FDE4_0657_0616_FD49(_0653_FDEE._FD45_FBD0_FDE4))
Source: INVOICE.exe, ---.cs Reference to suspicious API methods: GetProcAddress(intPtr, _FDCF_FDE4_0657_0616_FD49(_0653_FDEE._FD44))
Source: INVOICE.exe, ---.cs Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.ToArray().Length, 64u, out var _FBCF_FD41_FD4F_065B_FDFC_0611_065C)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: C:\Windows\System32\notepad.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: C:\Windows\System32\calc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\INVOICE.exe NtResumeThread: Indirect: 0x27B038F Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe NtMapViewOfSection: Indirect: 0x27B0252 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe NtMapViewOfSection: Indirect: 0x27B0296 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\notepad.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Section loaded: NULL target: C:\Users\user\Desktop\INVOICE.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Section loaded: NULL target: C:\Users\user\Desktop\INVOICE.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Users\user\Desktop\INVOICE.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Thread register set: target process: 5892 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Thread register set: target process: 5892 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\notepad.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\notepad.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\calc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\calc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\cmd.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\System32\cmd.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3199008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.4524153690.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000002.4522017851.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3837886482.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\INVOICE.exe Queries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520625 Sample: INVOICE.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected FormBook 2->28 30 7 other signatures 2->30 7 INVOICE.exe 2 2->7         started        process3 signatures4 32 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->32 34 Writes to foreign memory regions 7->34 36 Allocates memory in foreign processes 7->36 38 3 other signatures 7->38 10 findstr.exe 1 7->10         started        13 iexplore.exe 7->13         started        15 findstr.exe 7->15         started        17 4 other processes 7->17 process5 file6 40 Creates an undocumented autostart registry key 10->40 42 Maps a DLL or memory area into another process 10->42 20 explorer.exe 20 1 10->20 injected 44 Modifies the context of a thread in another process (thread injection) 13->44 46 Switches to a custom stack to bypass stack traces 15->46 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->22 dropped signatures7 process8
No contacted IP infos