Windows Analysis Report
INVOICE.exe

AI detected suspicious sample

Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: INVOICE.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOICE.exe PID: 5892, type: MEMORYSTR

Source: INVOICE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: findstr.pdbGCTL source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: iexplore.pdbUGP source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb: source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean)e source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbID source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: findstr.pdb source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iexplore.exe, iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb" source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6U source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: .pdbHJ source: INVOICE.exe, 00000000.00000002.2536544450.000000C396523000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbDD source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb[ source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbphic Provider source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb# source: INVOICE.exe, 00000000.00000002.2553461109.00000285393F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb9 source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbh source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: iexplore.pdb source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 4x nop then mov ebx, 00000004h	0_2_027AC66D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_036104DE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_03A804DE
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 4x nop then mov ebx, 00000004h	12_2_02AD04DE

Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000E.00000000.3837886482.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000E.00000000.3841643921.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.4525411811.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3841607303.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: explorer.exe, 0000000E.00000003.3858159922.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4530113471.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3844621759.000000000C549000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000E.00000002.4524366956.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3840035493.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000E.00000003.3851770477.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.3840035493.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4524366956.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000002.4523164286.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838930768.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3856012806.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000E.00000000.3844621759.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4530113471.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INVOICE.exe

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B02BB NtResumeThread,	0_2_027B02BB
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B00A9 SleepEx,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_027B00A9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0042C483 NtClose,	5_2_0042C483
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B535C0 NtCreateMutant,LdrInitializeThunk,	5_2_03B535C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52B60 NtClose,LdrInitializeThunk,	5_2_03B52B60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03B52DF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03B52C70
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B54340 NtSetContextThread,	5_2_03B54340
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B53090 NtSetValueKey,	5_2_03B53090
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B53010 NtOpenDirectoryObject,	5_2_03B53010
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B54650 NtSuspendThread,	5_2_03B54650
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52BA0 NtEnumerateValueKey,	5_2_03B52BA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52B80 NtQueryInformationFile,	5_2_03B52B80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52BF0 NtAllocateVirtualMemory,	5_2_03B52BF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52BE0 NtQueryValueKey,	5_2_03B52BE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52AB0 NtWaitForSingleObject,	5_2_03B52AB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52AF0 NtWriteFile,	5_2_03B52AF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52AD0 NtReadFile,	5_2_03B52AD0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B539B0 NtGetContextThread,	5_2_03B539B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52FB0 NtResumeThread,	5_2_03B52FB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52FA0 NtQuerySection,	5_2_03B52FA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52F90 NtProtectVirtualMemory,	5_2_03B52F90
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52FE0 NtCreateFile,	5_2_03B52FE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52F30 NtCreateSection,	5_2_03B52F30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52F60 NtCreateProcessEx,	5_2_03B52F60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52EA0 NtAdjustPrivilegesToken,	5_2_03B52EA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52E80 NtReadVirtualMemory,	5_2_03B52E80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52EE0 NtQueueApcThread,	5_2_03B52EE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52E30 NtWriteVirtualMemory,	5_2_03B52E30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52DB0 NtEnumerateKey,	5_2_03B52DB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52DD0 NtDelayExecution,	5_2_03B52DD0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52D30 NtUnmapViewOfSection,	5_2_03B52D30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52D10 NtMapViewOfSection,	5_2_03B52D10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B53D10 NtOpenProcessToken,	5_2_03B53D10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52D00 NtSetInformationFile,	5_2_03B52D00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B53D70 NtOpenThread,	5_2_03B53D70
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52CA0 NtQueryInformationToken,	5_2_03B52CA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52CF0 NtOpenProcess,	5_2_03B52CF0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52CC0 NtQueryVirtualMemory,	5_2_03B52CC0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52C00 NtQueryInformationProcess,	5_2_03B52C00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52C60 NtCreateKey,	5_2_03B52C60
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0362356A NtSetContextThread,	5_2_0362356A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03623BB6 NtResumeThread,	5_2_03623BB6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03623889 NtSuspendThread,	5_2_03623889
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A93BB6 NtResumeThread,	5_2_03A93BB6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A93889 NtSuspendThread,	5_2_03A93889
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A9356A NtSetContextThread,	5_2_03A9356A
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C23090 NtSetValueKey,LdrInitializeThunk,	12_2_02C23090
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C235C0 NtCreateMutant,LdrInitializeThunk,	12_2_02C235C0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22AD0 NtReadFile,LdrInitializeThunk,	12_2_02C22AD0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22B60 NtClose,LdrInitializeThunk,	12_2_02C22B60
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22FE0 NtCreateFile,LdrInitializeThunk,	12_2_02C22FE0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22F30 NtCreateSection,LdrInitializeThunk,	12_2_02C22F30
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_02C22CA0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22C60 NtCreateKey,LdrInitializeThunk,	12_2_02C22C60
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_02C22C70
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22DD0 NtDelayExecution,LdrInitializeThunk,	12_2_02C22DD0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_02C22DF0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_02C22D10
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C24340 NtSetContextThread,	12_2_02C24340
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C23010 NtOpenDirectoryObject,	12_2_02C23010
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C24650 NtSuspendThread,	12_2_02C24650
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22AF0 NtWriteFile,	12_2_02C22AF0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22AB0 NtWaitForSingleObject,	12_2_02C22AB0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22BE0 NtQueryValueKey,	12_2_02C22BE0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22BF0 NtAllocateVirtualMemory,	12_2_02C22BF0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22B80 NtQueryInformationFile,	12_2_02C22B80
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22BA0 NtEnumerateValueKey,	12_2_02C22BA0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C239B0 NtGetContextThread,	12_2_02C239B0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22EE0 NtQueueApcThread,	12_2_02C22EE0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22E80 NtReadVirtualMemory,	12_2_02C22E80
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22EA0 NtAdjustPrivilegesToken,	12_2_02C22EA0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22E30 NtWriteVirtualMemory,	12_2_02C22E30
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22F90 NtProtectVirtualMemory,	12_2_02C22F90
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22FA0 NtQuerySection,	12_2_02C22FA0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22FB0 NtResumeThread,	12_2_02C22FB0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22F60 NtCreateProcessEx,	12_2_02C22F60
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22CC0 NtQueryVirtualMemory,	12_2_02C22CC0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22CF0 NtOpenProcess,	12_2_02C22CF0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22C00 NtQueryInformationProcess,	12_2_02C22C00
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22DB0 NtEnumerateKey,	12_2_02C22DB0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C23D70 NtOpenThread,	12_2_02C23D70
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22D00 NtSetInformationFile,	12_2_02C22D00
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C23D10 NtOpenProcessToken,	12_2_02C23D10
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C22D30 NtUnmapViewOfSection,	12_2_02C22D30
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADF1F9 NtQueryInformationProcess,NtClose,	12_2_02ADF1F9
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AE3898 NtSuspendThread,	12_2_02AE3898

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027BA662	0_2_027BA662
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B9A67	0_2_027B9A67
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027C14FB	0_2_027C14FB
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027BA547	0_2_027BA547
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B8D17	0_2_027B8D17
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027BA9FB	0_2_027BA9FB
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE45F0	0_2_00007FF848CE45F0
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE0909	0_2_00007FF848CE0909
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CF4A5C	0_2_00007FF848CF4A5C
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE33D0	0_2_00007FF848CE33D0
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE8B30	0_2_00007FF848CE8B30
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE8B28	0_2_00007FF848CE8B28
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CEE865	0_2_00007FF848CEE865
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CF4ABF	0_2_00007FF848CF4ABF
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CF4379	0_2_00007FF848CF4379
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_00418473	5_2_00418473
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_00403060	5_2_00403060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040118B	5_2_0040118B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_00401190	5_2_00401190
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0042EAA3	5_2_0042EAA3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_00401300	5_2_00401300
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_004024E0	5_2_004024E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040FCAC	5_2_0040FCAC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040FCB3	5_2_0040FCB3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_00416643	5_2_00416643
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040FED3	5_2_0040FED3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040DEF7	5_2_0040DEF7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040DF49	5_2_0040DF49
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0040DF53	5_2_0040DF53
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B6739A	5_2_03B6739A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E3F0	5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE03E6	5_2_03BE03E6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD132D	5_2_03BD132D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDA352	5_2_03BDA352
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0D34C	5_2_03B0D34C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B252A0	5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2B1B0	5_2_03B2B1B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE01AA	5_2_03BE01AA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD81CC	5_2_03BD81CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBA118	5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B10100	5_2_03B10100
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BEB16B	5_2_03BEB16B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B5516C	5_2_03B5516C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD70E9	5_2_03BD70E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDF0E0	5_2_03BDF0E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF0CC	5_2_03BCF0CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDF7B0	5_2_03BDF7B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1C7C0	5_2_03B1C7C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B44750	5_2_03B44750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3C6E0	5_2_03B3C6E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD16CC	5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBD5B0	5_2_03BBD5B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE0591	5_2_03BE0591
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20535	5_2_03B20535
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD7571	5_2_03BD7571
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCE4F6	5_2_03BCE4F6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDF43F	5_2_03BDF43F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B11460	5_2_03B11460
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD2446	5_2_03BD2446
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3FB80	5_2_03B3FB80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B5DBF9	5_2_03B5DBF9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD6BD7	5_2_03BD6BD7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDFB76	5_2_03BDFB76
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDAB40	5_2_03BDAB40
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B65AA0	5_2_03B65AA0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBDAAC	5_2_03BBDAAC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1EA80	5_2_03B1EA80
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCDAC6	5_2_03BCDAC6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B93A6C	5_2_03B93A6C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDFA49	5_2_03BDFA49
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD7A46	5_2_03BD7A46
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B229A0	5_2_03B229A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BEA9A6	5_2_03BEA9A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B36962	5_2_03B36962
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B29950	5_2_03B29950
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B950	5_2_03B3B950
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B068B8	5_2_03B068B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4E8F0	5_2_03B4E8F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B238E0	5_2_03B238E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8D800	5_2_03B8D800
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B22840	5_2_03B22840
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2A840	5_2_03B2A840
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDFFB1	5_2_03BDFFB1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21F92	5_2_03B21F92
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2CFE0	5_2_03B2CFE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B12FC8	5_2_03B12FC8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B40F30	5_2_03B40F30
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B62F28	5_2_03B62F28
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDFF09	5_2_03BDFF09
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B94F40	5_2_03B94F40
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B29EB0	5_2_03B29EB0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B32E90	5_2_03B32E90
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDCE93	5_2_03BDCE93
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDEEDB	5_2_03BDEEDB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDEE26	5_2_03BDEE26
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20E59	5_2_03B20E59
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B38DBF	5_2_03B38DBF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1ADE0	5_2_03B1ADE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3FDC0	5_2_03B3FDC0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2AD00	5_2_03B2AD00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD7D73	5_2_03BD7D73
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD1D5A	5_2_03BD1D5A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B23D40	5_2_03B23D40
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0CB5	5_2_03BC0CB5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B10CF2	5_2_03B10CF2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDFCF2	5_2_03BDFCF2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B99C32	5_2_03B99C32
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20C00	5_2_03B20C00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0362536C	5_2_0362536C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0361E3B8	5_2_0361E3B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0361E4D3	5_2_0361E4D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0361CB88	5_2_0361CB88
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0361E86C	5_2_0361E86C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_0361D8D8	5_2_0361D8D8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A8E3B8	5_2_03A8E3B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A8CB88	5_2_03A8CB88
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A9536C	5_2_03A9536C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A8D8D8	5_2_03A8D8D8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A8E86C	5_2_03A8E86C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03A8E4D3	5_2_03A8E4D3
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C0B2C0	12_2_02C0B2C0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF52A0	12_2_02BF52A0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C912ED	12_2_02C912ED
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C90274	12_2_02C90274
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CB03E6	12_2_02CB03E6
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BFE3F0	12_2_02BFE3F0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C3739A	12_2_02C3739A
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAA352	12_2_02CAA352
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA132D	12_2_02CA132D
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BDD34C	12_2_02BDD34C
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C9F0CC	12_2_02C9F0CC
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA70E9	12_2_02CA70E9
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAF0E0	12_2_02CAF0E0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF70C0	12_2_02BF70C0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA81CC	12_2_02CA81CC
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BFB1B0	12_2_02BFB1B0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CB01AA	12_2_02CB01AA
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C78158	12_2_02C78158
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CBB16B	12_2_02CBB16B
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C2516C	12_2_02C2516C
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BE0100	12_2_02BE0100
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BDF172	12_2_02BDF172
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C8A118	12_2_02C8A118
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA16CC	12_2_02CA16CC
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C0C6E0	12_2_02C0C6E0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAF7B0	12_2_02CAF7B0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BEC7C0	12_2_02BEC7C0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C14750	12_2_02C14750
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF0770	12_2_02BF0770
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C9E4F6	12_2_02C9E4F6
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA2446	12_2_02CA2446
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BE1460	12_2_02BE1460
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAF43F	12_2_02CAF43F
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CB0591	12_2_02CB0591
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C8D5B0	12_2_02C8D5B0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF0535	12_2_02BF0535
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA7571	12_2_02CA7571
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C9DAC6	12_2_02C9DAC6
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BEEA80	12_2_02BEEA80
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C35AA0	12_2_02C35AA0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C8DAAC	12_2_02C8DAAC
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAFA49	12_2_02CAFA49
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA7A46	12_2_02CA7A46
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C63A6C	12_2_02C63A6C
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA6BD7	12_2_02CA6BD7
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C65BF0	12_2_02C65BF0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C2DBF9	12_2_02C2DBF9
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C0FB80	12_2_02C0FB80
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAAB40	12_2_02CAAB40
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAFB76	12_2_02CAFB76
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BD68B8	12_2_02BD68B8
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C1E8F0	12_2_02C1E8F0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF38E0	12_2_02BF38E0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C5D800	12_2_02C5D800
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BFA840	12_2_02BFA840
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF2840	12_2_02BF2840
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF29A0	12_2_02BF29A0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CBA9A6	12_2_02CBA9A6
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C0B950	12_2_02C0B950
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C06962	12_2_02C06962
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF9950	12_2_02BF9950
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF9EB0	12_2_02BF9EB0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAEEDB	12_2_02CAEEDB
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C02E90	12_2_02C02E90
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CACE93	12_2_02CACE93
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF0E59	12_2_02BF0E59
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAEE26	12_2_02CAEE26
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF1F92	12_2_02BF1F92
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BFCFE0	12_2_02BFCFE0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BE2FC8	12_2_02BE2FC8
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAFFB1	12_2_02CAFFB1
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C64F40	12_2_02C64F40
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAFF09	12_2_02CAFF09
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C32F28	12_2_02C32F28
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C10F30	12_2_02C10F30
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CAFCF2	12_2_02CAFCF2
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BE0CF2	12_2_02BE0CF2
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C90CB5	12_2_02C90CB5
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF0C00	12_2_02BF0C00
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C69C32	12_2_02C69C32
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C0FDC0	12_2_02C0FDC0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BEADE0	12_2_02BEADE0
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02C08DBF	12_2_02C08DBF
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA1D5A	12_2_02CA1D5A
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02CA7D73	12_2_02CA7D73
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BFAD00	12_2_02BFAD00
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BF3D40	12_2_02BF3D40
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADF1F9	12_2_02ADF1F9
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADE3B8	12_2_02ADE3B8
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADCB88	12_2_02ADCB88
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AE536C	12_2_02AE536C
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADD8D8	12_2_02ADD8D8
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADE86C	12_2_02ADE86C
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADE4D3	12_2_02ADE4D3

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: String function: 03B0B970 appears 268 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: String function: 03B8EA12 appears 86 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: String function: 03B9F290 appears 105 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: String function: 03B67E54 appears 89 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: String function: 03B55130 appears 36 times
Source: C:\Windows\SysWOW64\findstr.exe	Code function: String function: 02C6F290 appears 105 times
Source: C:\Windows\SysWOW64\findstr.exe	Code function: String function: 02C25130 appears 36 times
Source: C:\Windows\SysWOW64\findstr.exe	Code function: String function: 02C5EA12 appears 86 times
Source: C:\Windows\SysWOW64\findstr.exe	Code function: String function: 02C37E54 appears 96 times
Source: C:\Windows\SysWOW64\findstr.exe	Code function: String function: 02BDB970 appears 268 times

Source: C:\Users\user\Desktop\INVOICE.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5892 -s 1088

Source: INVOICE.exe

Static PE information: No import functions for PE file found

Source: INVOICE.exe, 00000000.00000000.2056775843.000002851ED62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTransponer.exe6 vs INVOICE.exe
Source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs INVOICE.exe
Source: INVOICE.exe	Binary or memory string: OriginalFilenameTransponer.exe6 vs INVOICE.exe

Source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb:
Source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@14/5@0/0

Source: C:\Users\user\Desktop\INVOICE.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5892

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0360b571-d98e-4180-b8ae-bcd426970e44

Source: INVOICE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: INVOICE.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\INVOICE.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: INVOICE.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\INVOICE.exe

File read: C:\Users\user\Desktop\INVOICE.exe

Source: unknown	Process created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5892 -s 1088
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\INVOICE.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Creates an undocumented autostart registry key

Source: INVOICE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INVOICE.exe

Static file information: File size 3255839 > 1048576

Source: INVOICE.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: findstr.pdbGCTL source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: iexplore.pdbUGP source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb: source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbolean)e source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbID source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: findstr.pdb source: iexplore.exe, 00000005.00000003.2452401501.0000000003695000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iexplore.exe, iexplore.exe, 00000005.00000002.2453506436.0000000003AE0000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2158417148.000000000378C000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000003.2160433953.0000000003939000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 00000005.00000002.2453506436.0000000003C7E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 0000000C.00000003.2452511177.0000000002857000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002D4E000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916076692.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 0000000C.00000003.2454489356.0000000002A09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb" source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6U source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: .pdbHJ source: INVOICE.exe, 00000000.00000002.2536544450.000000C396523000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbDD source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb[ source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbphic Provider source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: INVOICE.exe, 00000000.00000002.2537107832.000002851EF73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb# source: INVOICE.exe, 00000000.00000002.2553461109.00000285393F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb9 source: INVOICE.exe, 00000000.00000002.2553461109.000002853942F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbh source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9D5C.tmp.dmp.8.dr
Source:	Binary string: iexplore.pdb source: INVOICE.exe, 00000000.00000002.2533612073.000000001F03C000.00000004.00000001.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3916480740.00000000031DC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 0000000C.00000002.3915876487.0000000002955000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4532649733.00000000105AC000.00000004.00000001.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B7A1F push cs; iretd	0_2_027B7A51
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027C1331 push eax; ret	0_2_027C1333
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B6B1E push edi; ret	0_2_027B6B26
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027BCBF7 push edx; iretd	0_2_027BCC4C
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B77D7 push esi; retf	0_2_027B7878
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B9057 push es; iretd	0_2_027B905D
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B9037 push edx; retf	0_2_027B904C
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B088B push 78AE3EF4h; ret	0_2_027B0898
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B3560 pushad ; retf	0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B3567 pushad ; retf	0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B3538 pushad ; retf	0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B35D2 pushad ; retf	0_2_027B35C8
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_027B95D0 push ebx; retf	0_2_027B95D1
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE6FB0 push esp; retf 5F4Ch	0_2_00007FF848CF5BC9
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848CE00BD pushad ; iretd	0_2_00007FF848CE00C1
Source: C:\Users\user\Desktop\INVOICE.exe	Code function: 0_2_00007FF848DB026B push esp; retf 4810h	0_2_00007FF848DB0312
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02BE09AD push ecx; mov dword ptr [esp], ecx	12_2_02BE09B6
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AE0A68 push edx; iretd	12_2_02AE0ABD
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AD73A9 pushad ; retf	12_2_02AD7439
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AD73D8 pushad ; retf	12_2_02AD7439
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AD73D1 pushad ; retf	12_2_02AD7439
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADB890 push cs; iretd	12_2_02ADB8C2
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AE51A2 push eax; ret	12_2_02AE51A4
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADA98F push edi; ret	12_2_02ADA997
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADCEA8 push edx; retf	12_2_02ADCEBD
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AD46FC push 78AE3EF4h; ret	12_2_02AD4709
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADCEC8 push es; iretd	12_2_02ADCECE
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADB648 push esi; retf	12_2_02ADB6E9
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02ADD441 push ebx; retf	12_2_02ADD442
Source: C:\Windows\SysWOW64\findstr.exe	Code function: 12_2_02AD7443 pushad ; retf	12_2_02AD7439

Boot Survival

Source: C:\Windows\SysWOW64\findstr.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run XXVLVHS08H	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: INVOICE.exe PID: 5892, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\INVOICE.exe	Memory allocated: 2851F090000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory allocated: 285389B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Code function: 5_2_03B8D1C0 rdtsc

5_2_03B8D1C0

Source: C:\Windows\SysWOW64\findstr.exe	Window / User API: threadDelayed 9722	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\findstr.exe	API coverage: 1.1 %

Source: C:\Windows\SysWOW64\findstr.exe TID: 1084	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084	Thread sleep time: -504000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084	Thread sleep count: 9722 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 1084	Thread sleep time: -19444000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\findstr.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe	Last function: Thread delayed

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: explorer.exe, 0000000E.00000002.4526405649.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000E.00000000.3842035324.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 0000000E.00000000.3842035324.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: explorer.exe, 0000000E.00000000.3838930768.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000E.00000000.3842035324.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.3840035493.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: findstr.exe, 0000000C.00000002.3915719106.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: INVOICE.exe, 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000E.00000000.3838930768.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: explorer.exe, 0000000E.00000000.3838930768.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\SysWOW64\findstr.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\INVOICE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Code function: 5_2_03B8D1C0 rdtsc

5_2_03B8D1C0

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Code function: 5_2_004175F3 LdrLoadDll,

5_2_004175F3

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B433A0 mov eax, dword ptr fs:[00000030h]	5_2_03B433A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B433A0 mov eax, dword ptr fs:[00000030h]	5_2_03B433A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B333A5 mov eax, dword ptr fs:[00000030h]	5_2_03B333A5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE539D mov eax, dword ptr fs:[00000030h]	5_2_03BE539D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B08397 mov eax, dword ptr fs:[00000030h]	5_2_03B08397
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B08397 mov eax, dword ptr fs:[00000030h]	5_2_03B08397
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B08397 mov eax, dword ptr fs:[00000030h]	5_2_03B08397
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B6739A mov eax, dword ptr fs:[00000030h]	5_2_03B6739A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B6739A mov eax, dword ptr fs:[00000030h]	5_2_03B6739A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0E388 mov eax, dword ptr fs:[00000030h]	5_2_03B0E388
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0E388 mov eax, dword ptr fs:[00000030h]	5_2_03B0E388
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0E388 mov eax, dword ptr fs:[00000030h]	5_2_03B0E388
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3438F mov eax, dword ptr fs:[00000030h]	5_2_03B3438F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3438F mov eax, dword ptr fs:[00000030h]	5_2_03B3438F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE53FC mov eax, dword ptr fs:[00000030h]	5_2_03BE53FC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E3F0 mov eax, dword ptr fs:[00000030h]	5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E3F0 mov eax, dword ptr fs:[00000030h]	5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E3F0 mov eax, dword ptr fs:[00000030h]	5_2_03B2E3F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B463FF mov eax, dword ptr fs:[00000030h]	5_2_03B463FF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF3E6 mov eax, dword ptr fs:[00000030h]	5_2_03BCF3E6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B203E9 mov eax, dword ptr fs:[00000030h]	5_2_03B203E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCB3D0 mov ecx, dword ptr fs:[00000030h]	5_2_03BCB3D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCC3CD mov eax, dword ptr fs:[00000030h]	5_2_03BCC3CD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A3C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1A3C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h]	5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h]	5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h]	5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B183C0 mov eax, dword ptr fs:[00000030h]	5_2_03B183C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B07330 mov eax, dword ptr fs:[00000030h]	5_2_03B07330
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD132D mov eax, dword ptr fs:[00000030h]	5_2_03BD132D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD132D mov eax, dword ptr fs:[00000030h]	5_2_03BD132D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3F32A mov eax, dword ptr fs:[00000030h]	5_2_03B3F32A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0C310 mov ecx, dword ptr fs:[00000030h]	5_2_03B0C310
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B30310 mov ecx, dword ptr fs:[00000030h]	5_2_03B30310
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9930B mov eax, dword ptr fs:[00000030h]	5_2_03B9930B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9930B mov eax, dword ptr fs:[00000030h]	5_2_03B9930B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9930B mov eax, dword ptr fs:[00000030h]	5_2_03B9930B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4A30B mov eax, dword ptr fs:[00000030h]	5_2_03B4A30B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4A30B mov eax, dword ptr fs:[00000030h]	5_2_03B4A30B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4A30B mov eax, dword ptr fs:[00000030h]	5_2_03B4A30B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B17370 mov eax, dword ptr fs:[00000030h]	5_2_03B17370
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B17370 mov eax, dword ptr fs:[00000030h]	5_2_03B17370
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B17370 mov eax, dword ptr fs:[00000030h]	5_2_03B17370
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BB437C mov eax, dword ptr fs:[00000030h]	5_2_03BB437C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF367 mov eax, dword ptr fs:[00000030h]	5_2_03BCF367
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09353 mov eax, dword ptr fs:[00000030h]	5_2_03B09353
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09353 mov eax, dword ptr fs:[00000030h]	5_2_03B09353
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h]	5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h]	5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h]	5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9035C mov ecx, dword ptr fs:[00000030h]	5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h]	5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9035C mov eax, dword ptr fs:[00000030h]	5_2_03B9035C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDA352 mov eax, dword ptr fs:[00000030h]	5_2_03BDA352
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B92349 mov eax, dword ptr fs:[00000030h]	5_2_03B92349
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0D34C mov eax, dword ptr fs:[00000030h]	5_2_03B0D34C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0D34C mov eax, dword ptr fs:[00000030h]	5_2_03B0D34C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE5341 mov eax, dword ptr fs:[00000030h]	5_2_03BE5341
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B992BC mov eax, dword ptr fs:[00000030h]	5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B992BC mov eax, dword ptr fs:[00000030h]	5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B992BC mov ecx, dword ptr fs:[00000030h]	5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B992BC mov ecx, dword ptr fs:[00000030h]	5_2_03B992BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B202A0 mov eax, dword ptr fs:[00000030h]	5_2_03B202A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B202A0 mov eax, dword ptr fs:[00000030h]	5_2_03B202A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h]	5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h]	5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h]	5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B252A0 mov eax, dword ptr fs:[00000030h]	5_2_03B252A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA72A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA72A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA72A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA72A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA62A0 mov ecx, dword ptr fs:[00000030h]	5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA62A0 mov eax, dword ptr fs:[00000030h]	5_2_03BA62A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h]	5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h]	5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h]	5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD92A6 mov eax, dword ptr fs:[00000030h]	5_2_03BD92A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4329E mov eax, dword ptr fs:[00000030h]	5_2_03B4329E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4329E mov eax, dword ptr fs:[00000030h]	5_2_03B4329E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4E284 mov eax, dword ptr fs:[00000030h]	5_2_03B4E284
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4E284 mov eax, dword ptr fs:[00000030h]	5_2_03B4E284
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B90283 mov eax, dword ptr fs:[00000030h]	5_2_03B90283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B90283 mov eax, dword ptr fs:[00000030h]	5_2_03B90283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B90283 mov eax, dword ptr fs:[00000030h]	5_2_03B90283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE5283 mov eax, dword ptr fs:[00000030h]	5_2_03BE5283
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF2F8 mov eax, dword ptr fs:[00000030h]	5_2_03BCF2F8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B092FF mov eax, dword ptr fs:[00000030h]	5_2_03B092FF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC12ED mov eax, dword ptr fs:[00000030h]	5_2_03BC12ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B202E1 mov eax, dword ptr fs:[00000030h]	5_2_03B202E1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B202E1 mov eax, dword ptr fs:[00000030h]	5_2_03B202E1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B202E1 mov eax, dword ptr fs:[00000030h]	5_2_03B202E1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE52E2 mov eax, dword ptr fs:[00000030h]	5_2_03BE52E2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3F2D0 mov eax, dword ptr fs:[00000030h]	5_2_03B3F2D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3F2D0 mov eax, dword ptr fs:[00000030h]	5_2_03B3F2D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B2D3 mov eax, dword ptr fs:[00000030h]	5_2_03B0B2D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B2D3 mov eax, dword ptr fs:[00000030h]	5_2_03B0B2D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B2D3 mov eax, dword ptr fs:[00000030h]	5_2_03B0B2D3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h]	5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h]	5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h]	5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h]	5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1A2C3 mov eax, dword ptr fs:[00000030h]	5_2_03B1A2C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B2C0 mov eax, dword ptr fs:[00000030h]	5_2_03B3B2C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B192C5 mov eax, dword ptr fs:[00000030h]	5_2_03B192C5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B192C5 mov eax, dword ptr fs:[00000030h]	5_2_03B192C5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0823B mov eax, dword ptr fs:[00000030h]	5_2_03B0823B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE5227 mov eax, dword ptr fs:[00000030h]	5_2_03BE5227
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B47208 mov eax, dword ptr fs:[00000030h]	5_2_03B47208
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B47208 mov eax, dword ptr fs:[00000030h]	5_2_03B47208
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B51270 mov eax, dword ptr fs:[00000030h]	5_2_03B51270
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B51270 mov eax, dword ptr fs:[00000030h]	5_2_03B51270
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B39274 mov eax, dword ptr fs:[00000030h]	5_2_03B39274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC0274 mov eax, dword ptr fs:[00000030h]	5_2_03BC0274
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B14260 mov eax, dword ptr fs:[00000030h]	5_2_03B14260
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B14260 mov eax, dword ptr fs:[00000030h]	5_2_03B14260
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B14260 mov eax, dword ptr fs:[00000030h]	5_2_03B14260
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDD26B mov eax, dword ptr fs:[00000030h]	5_2_03BDD26B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BDD26B mov eax, dword ptr fs:[00000030h]	5_2_03BDD26B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0826B mov eax, dword ptr fs:[00000030h]	5_2_03B0826B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0A250 mov eax, dword ptr fs:[00000030h]	5_2_03B0A250
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B16259 mov eax, dword ptr fs:[00000030h]	5_2_03B16259
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCB256 mov eax, dword ptr fs:[00000030h]	5_2_03BCB256
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCB256 mov eax, dword ptr fs:[00000030h]	5_2_03BCB256
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09240 mov eax, dword ptr fs:[00000030h]	5_2_03B09240
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09240 mov eax, dword ptr fs:[00000030h]	5_2_03B09240
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4724D mov eax, dword ptr fs:[00000030h]	5_2_03B4724D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2B1B0 mov eax, dword ptr fs:[00000030h]	5_2_03B2B1B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h]	5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h]	5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h]	5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BC11A4 mov eax, dword ptr fs:[00000030h]	5_2_03BC11A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h]	5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h]	5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h]	5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9019F mov eax, dword ptr fs:[00000030h]	5_2_03B9019F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B67190 mov eax, dword ptr fs:[00000030h]	5_2_03B67190
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0A197 mov eax, dword ptr fs:[00000030h]	5_2_03B0A197
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0A197 mov eax, dword ptr fs:[00000030h]	5_2_03B0A197
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0A197 mov eax, dword ptr fs:[00000030h]	5_2_03B0A197
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B50185 mov eax, dword ptr fs:[00000030h]	5_2_03B50185
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCC188 mov eax, dword ptr fs:[00000030h]	5_2_03BCC188
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCC188 mov eax, dword ptr fs:[00000030h]	5_2_03BCC188
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B401F8 mov eax, dword ptr fs:[00000030h]	5_2_03B401F8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE61E5 mov eax, dword ptr fs:[00000030h]	5_2_03BE61E5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B351EF mov eax, dword ptr fs:[00000030h]	5_2_03B351EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B151ED mov eax, dword ptr fs:[00000030h]	5_2_03B151ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4D1D0 mov eax, dword ptr fs:[00000030h]	5_2_03B4D1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4D1D0 mov ecx, dword ptr fs:[00000030h]	5_2_03B4D1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h]	5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h]	5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h]	5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E1D0 mov eax, dword ptr fs:[00000030h]	5_2_03B8E1D0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE51CB mov eax, dword ptr fs:[00000030h]	5_2_03BE51CB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD61C3 mov eax, dword ptr fs:[00000030h]	5_2_03BD61C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD61C3 mov eax, dword ptr fs:[00000030h]	5_2_03BD61C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B11131 mov eax, dword ptr fs:[00000030h]	5_2_03B11131
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B11131 mov eax, dword ptr fs:[00000030h]	5_2_03B11131
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h]	5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h]	5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h]	5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B136 mov eax, dword ptr fs:[00000030h]	5_2_03B0B136
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B40124 mov eax, dword ptr fs:[00000030h]	5_2_03B40124
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBA118 mov ecx, dword ptr fs:[00000030h]	5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBA118 mov eax, dword ptr fs:[00000030h]	5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBA118 mov eax, dword ptr fs:[00000030h]	5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BBA118 mov eax, dword ptr fs:[00000030h]	5_2_03BBA118
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD0115 mov eax, dword ptr fs:[00000030h]	5_2_03BD0115
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F172 mov eax, dword ptr fs:[00000030h]	5_2_03B0F172
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA9179 mov eax, dword ptr fs:[00000030h]	5_2_03BA9179
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B17152 mov eax, dword ptr fs:[00000030h]	5_2_03B17152
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B16154 mov eax, dword ptr fs:[00000030h]	5_2_03B16154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B16154 mov eax, dword ptr fs:[00000030h]	5_2_03B16154
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0C156 mov eax, dword ptr fs:[00000030h]	5_2_03B0C156
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE5152 mov eax, dword ptr fs:[00000030h]	5_2_03BE5152
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h]	5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h]	5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h]	5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09148 mov eax, dword ptr fs:[00000030h]	5_2_03B09148
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h]	5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h]	5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA4144 mov ecx, dword ptr fs:[00000030h]	5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h]	5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA4144 mov eax, dword ptr fs:[00000030h]	5_2_03BA4144
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD60B8 mov eax, dword ptr fs:[00000030h]	5_2_03BD60B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD60B8 mov ecx, dword ptr fs:[00000030h]	5_2_03BD60B8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3D090 mov eax, dword ptr fs:[00000030h]	5_2_03B3D090
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3D090 mov eax, dword ptr fs:[00000030h]	5_2_03B3D090
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B15096 mov eax, dword ptr fs:[00000030h]	5_2_03B15096
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4909C mov eax, dword ptr fs:[00000030h]	5_2_03B4909C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1208A mov eax, dword ptr fs:[00000030h]	5_2_03B1208A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0D08D mov eax, dword ptr fs:[00000030h]	5_2_03B0D08D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0C0F0 mov eax, dword ptr fs:[00000030h]	5_2_03B0C0F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B520F0 mov ecx, dword ptr fs:[00000030h]	5_2_03B520F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_03B0A0E3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B350E4 mov eax, dword ptr fs:[00000030h]	5_2_03B350E4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B350E4 mov ecx, dword ptr fs:[00000030h]	5_2_03B350E4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B180E9 mov eax, dword ptr fs:[00000030h]	5_2_03B180E9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B920DE mov eax, dword ptr fs:[00000030h]	5_2_03B920DE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE50D9 mov eax, dword ptr fs:[00000030h]	5_2_03BE50D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B390DB mov eax, dword ptr fs:[00000030h]	5_2_03B390DB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov ecx, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B270C0 mov eax, dword ptr fs:[00000030h]	5_2_03B270C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8D0C0 mov eax, dword ptr fs:[00000030h]	5_2_03B8D0C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8D0C0 mov eax, dword ptr fs:[00000030h]	5_2_03B8D0C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h]	5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h]	5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h]	5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD903E mov eax, dword ptr fs:[00000030h]	5_2_03BD903E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0A020 mov eax, dword ptr fs:[00000030h]	5_2_03B0A020
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0C020 mov eax, dword ptr fs:[00000030h]	5_2_03B0C020
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h]	5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h]	5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h]	5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E016 mov eax, dword ptr fs:[00000030h]	5_2_03B2E016
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B94000 mov ecx, dword ptr fs:[00000030h]	5_2_03B94000
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3C073 mov eax, dword ptr fs:[00000030h]	5_2_03B3C073
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov ecx, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B21070 mov eax, dword ptr fs:[00000030h]	5_2_03B21070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8D070 mov ecx, dword ptr fs:[00000030h]	5_2_03B8D070
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9106E mov eax, dword ptr fs:[00000030h]	5_2_03B9106E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE5060 mov eax, dword ptr fs:[00000030h]	5_2_03BE5060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B12050 mov eax, dword ptr fs:[00000030h]	5_2_03B12050
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3B052 mov eax, dword ptr fs:[00000030h]	5_2_03B3B052
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BB705E mov ebx, dword ptr fs:[00000030h]	5_2_03BB705E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BB705E mov eax, dword ptr fs:[00000030h]	5_2_03BB705E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3D7B0 mov eax, dword ptr fs:[00000030h]	5_2_03B3D7B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE37B6 mov eax, dword ptr fs:[00000030h]	5_2_03BE37B6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F7BA mov eax, dword ptr fs:[00000030h]	5_2_03B0F7BA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B997A9 mov eax, dword ptr fs:[00000030h]	5_2_03B997A9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h]	5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h]	5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h]	5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h]	5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9F7AF mov eax, dword ptr fs:[00000030h]	5_2_03B9F7AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B107AF mov eax, dword ptr fs:[00000030h]	5_2_03B107AF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF78A mov eax, dword ptr fs:[00000030h]	5_2_03BCF78A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B147FB mov eax, dword ptr fs:[00000030h]	5_2_03B147FB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B147FB mov eax, dword ptr fs:[00000030h]	5_2_03B147FB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1D7E0 mov ecx, dword ptr fs:[00000030h]	5_2_03B1D7E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B327ED mov eax, dword ptr fs:[00000030h]	5_2_03B327ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B327ED mov eax, dword ptr fs:[00000030h]	5_2_03B327ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B327ED mov eax, dword ptr fs:[00000030h]	5_2_03B327ED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1C7C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1C7C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B157C0 mov eax, dword ptr fs:[00000030h]	5_2_03B157C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B157C0 mov eax, dword ptr fs:[00000030h]	5_2_03B157C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B157C0 mov eax, dword ptr fs:[00000030h]	5_2_03B157C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B907C3 mov eax, dword ptr fs:[00000030h]	5_2_03B907C3
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09730 mov eax, dword ptr fs:[00000030h]	5_2_03B09730
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B09730 mov eax, dword ptr fs:[00000030h]	5_2_03B09730
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B45734 mov eax, dword ptr fs:[00000030h]	5_2_03B45734
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h]	5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h]	5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h]	5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BEB73C mov eax, dword ptr fs:[00000030h]	5_2_03BEB73C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4273C mov eax, dword ptr fs:[00000030h]	5_2_03B4273C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4273C mov ecx, dword ptr fs:[00000030h]	5_2_03B4273C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4273C mov eax, dword ptr fs:[00000030h]	5_2_03B4273C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8C730 mov eax, dword ptr fs:[00000030h]	5_2_03B8C730
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1973A mov eax, dword ptr fs:[00000030h]	5_2_03B1973A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1973A mov eax, dword ptr fs:[00000030h]	5_2_03B1973A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B13720 mov eax, dword ptr fs:[00000030h]	5_2_03B13720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2F720 mov eax, dword ptr fs:[00000030h]	5_2_03B2F720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2F720 mov eax, dword ptr fs:[00000030h]	5_2_03B2F720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2F720 mov eax, dword ptr fs:[00000030h]	5_2_03B2F720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF72E mov eax, dword ptr fs:[00000030h]	5_2_03BCF72E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4C720 mov eax, dword ptr fs:[00000030h]	5_2_03B4C720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4C720 mov eax, dword ptr fs:[00000030h]	5_2_03B4C720
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD972B mov eax, dword ptr fs:[00000030h]	5_2_03BD972B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B10710 mov eax, dword ptr fs:[00000030h]	5_2_03B10710
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B40710 mov eax, dword ptr fs:[00000030h]	5_2_03B40710
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4F71F mov eax, dword ptr fs:[00000030h]	5_2_03B4F71F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4F71F mov eax, dword ptr fs:[00000030h]	5_2_03B4F71F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B17703 mov eax, dword ptr fs:[00000030h]	5_2_03B17703
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B15702 mov eax, dword ptr fs:[00000030h]	5_2_03B15702
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B15702 mov eax, dword ptr fs:[00000030h]	5_2_03B15702
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4C700 mov eax, dword ptr fs:[00000030h]	5_2_03B4C700
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B18770 mov eax, dword ptr fs:[00000030h]	5_2_03B18770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B20770 mov eax, dword ptr fs:[00000030h]	5_2_03B20770
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h]	5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h]	5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h]	5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0B765 mov eax, dword ptr fs:[00000030h]	5_2_03B0B765
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B10750 mov eax, dword ptr fs:[00000030h]	5_2_03B10750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52750 mov eax, dword ptr fs:[00000030h]	5_2_03B52750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52750 mov eax, dword ptr fs:[00000030h]	5_2_03B52750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B94755 mov eax, dword ptr fs:[00000030h]	5_2_03B94755
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B23740 mov eax, dword ptr fs:[00000030h]	5_2_03B23740
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B23740 mov eax, dword ptr fs:[00000030h]	5_2_03B23740
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B23740 mov eax, dword ptr fs:[00000030h]	5_2_03B23740
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE3749 mov eax, dword ptr fs:[00000030h]	5_2_03BE3749
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4674D mov esi, dword ptr fs:[00000030h]	5_2_03B4674D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4674D mov eax, dword ptr fs:[00000030h]	5_2_03B4674D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4674D mov eax, dword ptr fs:[00000030h]	5_2_03B4674D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B076B2 mov eax, dword ptr fs:[00000030h]	5_2_03B076B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B076B2 mov eax, dword ptr fs:[00000030h]	5_2_03B076B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B076B2 mov eax, dword ptr fs:[00000030h]	5_2_03B076B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B466B0 mov eax, dword ptr fs:[00000030h]	5_2_03B466B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4C6A6 mov eax, dword ptr fs:[00000030h]	5_2_03B4C6A6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0D6AA mov eax, dword ptr fs:[00000030h]	5_2_03B0D6AA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0D6AA mov eax, dword ptr fs:[00000030h]	5_2_03B0D6AA
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B14690 mov eax, dword ptr fs:[00000030h]	5_2_03B14690
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B14690 mov eax, dword ptr fs:[00000030h]	5_2_03B14690
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h]	5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h]	5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h]	5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B9368C mov eax, dword ptr fs:[00000030h]	5_2_03B9368C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B906F1 mov eax, dword ptr fs:[00000030h]	5_2_03B906F1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B906F1 mov eax, dword ptr fs:[00000030h]	5_2_03B906F1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h]	5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h]	5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h]	5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E6F2 mov eax, dword ptr fs:[00000030h]	5_2_03B8E6F2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCD6F0 mov eax, dword ptr fs:[00000030h]	5_2_03BCD6F0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3D6E0 mov eax, dword ptr fs:[00000030h]	5_2_03B3D6E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B3D6E0 mov eax, dword ptr fs:[00000030h]	5_2_03B3D6E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h]	5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h]	5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h]	5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h]	5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h]	5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BA36EE mov eax, dword ptr fs:[00000030h]	5_2_03BA36EE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B436EF mov eax, dword ptr fs:[00000030h]	5_2_03B436EF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1B6C0 mov eax, dword ptr fs:[00000030h]	5_2_03B1B6C0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h]	5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h]	5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h]	5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BD16CC mov eax, dword ptr fs:[00000030h]	5_2_03BD16CC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_03B4A6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4A6C7 mov eax, dword ptr fs:[00000030h]	5_2_03B4A6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BCF6C7 mov eax, dword ptr fs:[00000030h]	5_2_03BCF6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B416CF mov eax, dword ptr fs:[00000030h]	5_2_03B416CF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03BE5636 mov eax, dword ptr fs:[00000030h]	5_2_03BE5636
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B46620 mov eax, dword ptr fs:[00000030h]	5_2_03B46620
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B48620 mov eax, dword ptr fs:[00000030h]	5_2_03B48620
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2E627 mov eax, dword ptr fs:[00000030h]	5_2_03B2E627
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B0F626 mov eax, dword ptr fs:[00000030h]	5_2_03B0F626
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B1262C mov eax, dword ptr fs:[00000030h]	5_2_03B1262C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B13616 mov eax, dword ptr fs:[00000030h]	5_2_03B13616
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B13616 mov eax, dword ptr fs:[00000030h]	5_2_03B13616
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B52619 mov eax, dword ptr fs:[00000030h]	5_2_03B52619
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B8E609 mov eax, dword ptr fs:[00000030h]	5_2_03B8E609
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B41607 mov eax, dword ptr fs:[00000030h]	5_2_03B41607
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B4F603 mov eax, dword ptr fs:[00000030h]	5_2_03B4F603
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h]	5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h]	5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h]	5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h]	5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h]	5_2_03B2260B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 5_2_03B2260B mov eax, dword ptr fs:[00000030h]	5_2_03B2260B

Source: C:\Users\user\Desktop\INVOICE.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: INVOICE.exe, ---.cs	Reference to suspicious API methods: LoadLibrary(_FDCF_FDE4_0657_0616_FD49(_0653_FDEE._FD45_FBD0_FDE4))
Source: INVOICE.exe, ---.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _FDCF_FDE4_0657_0616_FD49(_0653_FDEE._FD44))
Source: INVOICE.exe, ---.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.ToArray().Length, 64u, out var _FBCF_FD41_FD4F_065B_FDFC_0611_065C)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\INVOICE.exe	Memory allocated: C:\Windows\System32\notepad.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory allocated: C:\Windows\System32\calc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 protect: page execute and read and write	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\INVOICE.exe	NtResumeThread: Indirect: 0x27B038F	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	NtMapViewOfSection: Indirect: 0x27B0252	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	NtMapViewOfSection: Indirect: 0x27B0296	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\notepad.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Section loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Users\user\Desktop\INVOICE.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Section loaded: NULL target: C:\Users\user\Desktop\INVOICE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: NULL target: C:\Users\user\Desktop\INVOICE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread register set: target process: 5892			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Thread register set: target process: 5892			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\notepad.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\notepad.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\calc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\calc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Windows\System32\cmd.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3199008	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"	Jump to behavior

Source: explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.4524153690.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.4522583879.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3838495627.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000002.4522017851.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3837886482.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\INVOICE.exe

Queries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformation

Source: C:\Users\user\Desktop\INVOICE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 5.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	512 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	512 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INVOICE.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
INVOICE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000E.00000003.3858159922.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4530113471.000000000C549000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3844621759.000000000C549000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 0000000E.00000003.3851770477.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4526405649.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 0000000E.00000000.3841643921.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000002.4525411811.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.3841607303.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	explorer.exe, 0000000E.00000000.3837886482.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4522017851.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 0000000E.00000003.3855253684.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.0000000009BA1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4527362496.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000E.00000002.4524366956.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3840035493.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3857515555.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 0000000E.00000000.3844621759.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.4530113471.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/)s	explorer.exe, 0000000E.00000002.4526405649.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.3851770477.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.3842035324.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520625
Start date and time:	2024-09-27 17:21:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INVOICE.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@14/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 43 Number of non-executed functions: 222
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: INVOICE.exe

Simulations

Behavior and APIs

Time	Type	Description
11:22:25	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:23:17	API Interceptor	5741428x Sleep call for process: findstr.exe modified
11:25:01	API Interceptor	563x Sleep call for process: explorer.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_INVOICE.exe_fec790ac7eb5905e17bf10e44999f63291b7bd7_55fdea1e_25f9db32-c290-45ae-a857-99396b3e14f3\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9933155099148052
Encrypted:	false
SSDEEP:	192:DuvMBqzOFPIi0XcnuaWxUUozuiFuZ24lO8E:iv3OFP+XcnuaGUhzuiFuY4lO8E
MD5:	18BEE07616C5AC88F01572F9DA9CDC4E
SHA1:	09FDAD8A3F57EA0C4F5FBFD98A189A223628B3ED
SHA-256:	185C077E44A9A6CF35E1DB59DFCB62B583CDFECDF2EE5D5E94C3AE2D864F3CDA
SHA-512:	0AD443D9258565BFD22F0ACBF934B0E65C46C83ECEEB80A58394B47AA6DA39ABFC2C15AD933A9C7D52592BA488D5237B2C980DEB8FD38028D8173BA1D597A0A0
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.9.2.4.1.2.5.8.2.3.6.9.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.9.2.4.1.2.7.0.4.2.4.5.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.f.9.d.b.3.2.-.c.2.9.0.-.4.5.a.e.-.a.8.5.7.-.9.9.3.9.6.b.3.e.1.4.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.8.4.c.1.d.d.-.b.1.4.a.-.4.d.2.f.-.a.f.e.2.-.2.3.a.5.c.6.a.a.8.3.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.I.N.V.O.I.C.E...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.r.a.n.s.p.o.n.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.0.4.-.0.0.0.1.-.0.0.1.4.-.0.f.9.1.-.9.6.0.0.f.1.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.8.7.8.5.3.e.9.0.f.6.0.5.6.a.0.6.1.c.8.9.8.f.b.9.d.3.d.a.1.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.8.5.f.0.3.e.0.a.5.6.7.8.2.d.3.d.7.8.0.c.5.d.f.3.0.7.9.a.f.7.2.3.e.6.0.9.3.b.!.I.N.V.O.I.C.E...e.x.e...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D5C.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Sep 27 15:22:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	389439
Entropy (8bit):	3.260036892412381
Encrypted:	false
SSDEEP:	3072:/ik71z8P1CCqvlz3+vQhX4RuoXulhLcS8TF8hLk0W3d:asA/qtz3Q6WXg/c86
MD5:	528147348C21DE2294A82E28382D5DF9
SHA1:	95C9E3B51A133DB2DBC2531C1D792FCB07B17A35
SHA-256:	59BC818EA4D9AADDC9209D4A4BF55EFCB22862E57B25F91BDB2FCD36DF26A53D
SHA-512:	95197186879FEF908DD4D2CAE94E699D712C2F9F96379EC47DA86D1AE857AEA27C860781230DE531B71B86857AE5AAE5BE038AAE95738D81B358243DE935447E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f....................................$...............(........I...t..........l.......8...........T............*.._............7...........9..............................................................................eJ......<:......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EC4.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8608
Entropy (8bit):	3.707657838244589
Encrypted:	false
SSDEEP:	192:R6l7wVeJOVU6YEIYPsNXgmfZnjprr89b4itfQom:R6lXJUU6YEXPsNgmf5C44fW
MD5:	C02D0C79011816EC5930C22FD5A0DF21
SHA1:	0A7B69E20C630C08F030CF225A54150B47A72D7D
SHA-256:	9F6D6C727C27EC01A4753C0D0BE9BBAB72156D8B68824C585BECAE4CA70A684A
SHA-512:	D18479FF48165EA9DC3291BB8FB81087129E063982E6E537455B2BC7338CEBF0CEAD14DC81E6118130E421A68955801A4359B585BC733ADFCF7EF4CFE8472F6A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EF4.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4798
Entropy (8bit):	4.510534465757653
Encrypted:	false
SSDEEP:	48:cvIwWl8zspJg771I9EnWpW8VYjk5Ym8M4JTE6FGJyq8veEFczX8ipZd:uIjf7I7/W7VLoJIHWPKvpZd
MD5:	888AA66BC2777C1BA6AECDB4F161D6F9
SHA1:	442F29CFFDC3B82658D5157CB6E532A640F0FE12
SHA-256:	69301A1FBB504B341D0C37BA4FEEF7CB86BE9A6CC53AE8CA8C562CAFDC5B7F11
SHA-512:	1D85AD2EA8E3255CDE0AE32B99CBE5F3DC531C7B59022C703C0C5B6CD133F229C92785139A760C990C2824C93EF21A774B8073A8FA7670D630FAC5BA4E1CB3E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="518784" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421671361343157
Encrypted:	false
SSDEEP:	6144:WSvfpi6ceLP/9skLmb0OTFWSPHaJG8nAgeMZMMhA2fX4WABlEnNj0uhiTw:1vloTFW+EZMM6DFyh03w
MD5:	CD965BA1E31548162D082CD3FFBDD995
SHA1:	51E53E4B6E257AE8E0E47C9B271EA2B4C8A007F1
SHA-256:	487CAC59A068658CC2CFDB308800D42C2237E85B0C4AC2AD20A43CAECF88DB40
SHA-512:	B71087903A2568D9E00A49F1A1A4AF6F32400FBDC891622102A9A7ED775E6F98F597E6C19841D012C3D90CAFF6B752C043CCF9C29356E9859BA3FDB51E9E8515
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................I.6........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.459584919757143
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	INVOICE.exe
File size:	3'255'839 bytes
MD5:	a008e7dd0417d4b3122820c73bf6631a
SHA1:	9085f03e0a56782d3d780c5df3079af723e6093b
SHA256:	175063717f1764ce13bf928d3f25133299ed5d61f241d63e02d29f6b2d67f4f4
SHA512:	195c321da592c9ca65c374af3987e4ac4d9dd6048c4c68c2159d35d4649f0fce88f0652cee3f3aa44094d33a24d91f66a03d36e174a092004b590b1b0ba7a903
SSDEEP:	12288:ir8+YoJmKYyMeuejswGz5Mj8JO6pdnW5DhQtv2MQDDN0HLpoJmhssP:48EUYMefswGzqjUpsQ1YDayJmhH
TLSH:	E6E51280B81B4E23FCA14238C9D57AF49AFDDE4373FA196FDF090D90645417CA1A297A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..f.........."...0.p8............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F2A468 [Tue Sep 24 11:37:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x5ea	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3870	0x3a00	be0ea92cce63d1b1aeebcf0377a7a76a	False	0.6355064655172413	data	6.204514838689041	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x5ea	0x600	57d280fb4b749a5ff5990ae311254c9e	False	0.4212239583333333	data	4.1460215092223	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60a0	0x360	data			0.41087962962962965
RT_MANIFEST	0x6400	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Target ID:	0
Start time:	11:22:02
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\INVOICE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\INVOICE.exe"
Imagebase:	0x2851ed60000
File size:	3'255'839 bytes
MD5 hash:	A008E7DD0417D4B3122820C73BF6631A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2539757329.0000028520D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	11:22:04
Start date:	27/09/2024
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\notepad.exe"
Imagebase:
File size:	201'216 bytes
MD5 hash:	27F71B12CB585541885A31BE22F61C83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	3
Start time:	11:22:04
Start date:	27/09/2024
Path:	C:\Windows\System32\calc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\calc.exe"
Imagebase:
File size:	27'648 bytes
MD5 hash:	5DA8C98136D98DFEC4716EDD79C7145F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	4
Start time:	11:22:04
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	11:22:05
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Imagebase:	0x230000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2478613557.0000000009CF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2452558116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	11:22:05
Start date:	27/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5892 -s 1088
Imagebase:	0x7ff761550000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	11:22:25
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\SysWOW64\findstr.exe"
Imagebase:
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	12
Start time:	11:22:35
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\findstr.exe"
Imagebase:	0x290000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3915579259.0000000002600000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3915619214.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	11:24:59
Start date:	27/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false