Windows Analysis Report
ORIGINAL INVOICE COAU7230734293.exe

Overview

General Information

Sample name: ORIGINAL INVOICE COAU7230734293.exe
Analysis ID: 1523776
MD5: f6c2a4c4d05e7b76e17a5a7a191ddeb1
SHA1: 0d93776c5acfa7bb9a2ed5bc3ca46e0a525fa6bd
SHA256: ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ORIGINAL INVOICE COAU7230734293.exe Virustotal: Detection: 47% Perma Link
Source: ORIGINAL INVOICE COAU7230734293.exe ReversingLabs: Detection: 57%
Yara detected FormBook
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 4x nop then jmp 06E7C994h 0_2_06E7D04B
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4x nop then mov ebx, 00000004h 4_2_035C04DE
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000002.183147375227.0000000009450000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018627893.00000000029E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180024198807.000000000A030000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000005.00000000.180022424107.0000000008FBA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145776732.0000000008FBA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmB
Source: explorer.exe, 00000005.00000000.180026117504.000000000CBF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183150949902.000000000CBF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/(
Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/P
Source: explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBAD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?$
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=30839BE1E99742A69F7CECEEBE3BA9D0&timeOut=5000&oc
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000003.180692273783.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180022524216.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145919952.0000000009084000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comL
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
Source: explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/greenup.svg
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/reddown.svg
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.svg
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/hot.svg
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W02_Most
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comrl
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1gKAgr.img
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l47N2.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBERG9W.img
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=22fac781-5ff2-4c5e-9dca-d6b3
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000005.00000000.180028656269.000000000D1F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D1F5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEM
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/lifestyle/truth-behind-5-unconventional-self-care-rituals-have-gone-viral-tiktok
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/stories
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comA3
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/best-road-trip-snacks/
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/food-news/net-worth-guy-fieri/
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/restaurants/g33388878/diners-drive-ins-and-dives-restaurant-rules/
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/happy-national-taco-day-here-are-the-best-deals-for-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accor
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-t
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/relationships/my-dad-was-gay-but-married-to-my-mom-for-64-years-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/iphone-16-first-look-while-we-wait-for-apple-intelligen
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/colorado-legally-requires-businesses-to-accept-cash-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michigan
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/retirement/americans-have-just-weeks-left-until-new-social-security-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/it-s-not-taxed-at-all-warren-buffett-shared-the-b
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/rich-young-americans-are-ditching-the-stormy-stoc
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/technology/new-tandem-solar-cells-break-efficiency-record-they-could
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/movies/news/all-37-new-movies-dropping-on-netflix-today/ss-AA1rxnU9
Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-you
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-hai
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/nvidia-hopes-lightning-will-strike-twice-as-it-aims-to-cor
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/spacex-set-to-launch-billionaire-s-private-crew-on-breakth
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-record-breaking-bass-has-been-caught-in-a-texas-lake/ss-AA1qf3tz
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/john-amos-patriarch-on-good-times-and-an-emmy-nominee-for-the-bloc
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aid
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barne
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-ol
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/can-t-miss-play-vintage-rodgers-jets-qb-gashes-49ers-for-36-y
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/global-entry-vs-tsa-precheck-which-prescreen-will-get-you-thro
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/reacher-spinoff-the-untitled-neagley-project-starring-maria-sten-s
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxvcmlkYS
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxv
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/tropical-storm-francine-spaghetti-models-show-3-states-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.pollensense.com/

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734293.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0042BFF3 NtClose, 2_2_0042BFF3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D34E0 NtCreateMutant,LdrInitializeThunk, 2_2_016D34E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2BC0 NtQueryInformationToken,LdrInitializeThunk, 2_2_016D2BC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B90 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_016D2B90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2A80 NtClose,LdrInitializeThunk, 2_2_016D2A80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2D10 NtQuerySystemInformation,LdrInitializeThunk, 2_2_016D2D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2EB0 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_016D2EB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D4260 NtSetContextThread, 2_2_016D4260
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D4570 NtSuspendThread, 2_2_016D4570
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D29F0 NtReadFile, 2_2_016D29F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D29D0 NtWaitForSingleObject, 2_2_016D29D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D38D0 NtGetContextThread, 2_2_016D38D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B20 NtQueryInformationProcess, 2_2_016D2B20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B00 NtQueryValueKey, 2_2_016D2B00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B10 NtAllocateVirtualMemory, 2_2_016D2B10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2BE0 NtQueryVirtualMemory, 2_2_016D2BE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B80 NtCreateKey, 2_2_016D2B80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2A10 NtWriteFile, 2_2_016D2A10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2AC0 NtEnumerateValueKey, 2_2_016D2AC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2AA0 NtQueryInformationFile, 2_2_016D2AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2D50 NtWriteVirtualMemory, 2_2_016D2D50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2DC0 NtAdjustPrivilegesToken, 2_2_016D2DC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2DA0 NtReadVirtualMemory, 2_2_016D2DA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C50 NtUnmapViewOfSection, 2_2_016D2C50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C20 NtSetInformationFile, 2_2_016D2C20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C30 NtMapViewOfSection, 2_2_016D2C30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D3C30 NtOpenProcessToken, 2_2_016D3C30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C10 NtOpenProcess, 2_2_016D2C10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2CF0 NtDelayExecution, 2_2_016D2CF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2CD0 NtEnumerateKey, 2_2_016D2CD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D3C90 NtOpenThread, 2_2_016D3C90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2F30 NtOpenDirectoryObject, 2_2_016D2F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2F00 NtCreateFile, 2_2_016D2F00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2FB0 NtSetValueKey, 2_2_016D2FB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2E50 NtCreateSection, 2_2_016D2E50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2E00 NtQueueApcThread, 2_2_016D2E00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2EC0 NtQuerySection, 2_2_016D2EC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2ED0 NtResumeThread, 2_2_016D2ED0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2E80 NtCreateProcessEx, 2_2_016D2E80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E34E0 NtCreateMutant,LdrInitializeThunk, 4_2_032E34E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B00 NtQueryValueKey,LdrInitializeThunk, 4_2_032E2B00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B10 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_032E2B10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B80 NtCreateKey,LdrInitializeThunk, 4_2_032E2B80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B90 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_032E2B90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2BC0 NtQueryInformationToken,LdrInitializeThunk, 4_2_032E2BC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2A80 NtClose,LdrInitializeThunk, 4_2_032E2A80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E29F0 NtReadFile,LdrInitializeThunk, 4_2_032E29F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2F00 NtCreateFile,LdrInitializeThunk, 4_2_032E2F00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2E50 NtCreateSection,LdrInitializeThunk, 4_2_032E2E50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2D10 NtQuerySystemInformation,LdrInitializeThunk, 4_2_032E2D10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C30 NtMapViewOfSection,LdrInitializeThunk, 4_2_032E2C30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2CF0 NtDelayExecution,LdrInitializeThunk, 4_2_032E2CF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E4260 NtSetContextThread, 4_2_032E4260
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E4570 NtSuspendThread, 4_2_032E4570
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B20 NtQueryInformationProcess, 4_2_032E2B20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2BE0 NtQueryVirtualMemory, 4_2_032E2BE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2A10 NtWriteFile, 4_2_032E2A10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2AA0 NtQueryInformationFile, 4_2_032E2AA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2AC0 NtEnumerateValueKey, 4_2_032E2AC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E29D0 NtWaitForSingleObject, 4_2_032E29D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E38D0 NtGetContextThread, 4_2_032E38D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2F30 NtOpenDirectoryObject, 4_2_032E2F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2FB0 NtSetValueKey, 4_2_032E2FB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2E00 NtQueueApcThread, 4_2_032E2E00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2EB0 NtProtectVirtualMemory, 4_2_032E2EB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2E80 NtCreateProcessEx, 4_2_032E2E80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2EC0 NtQuerySection, 4_2_032E2EC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2ED0 NtResumeThread, 4_2_032E2ED0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2D50 NtWriteVirtualMemory, 4_2_032E2D50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2DA0 NtReadVirtualMemory, 4_2_032E2DA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2DC0 NtAdjustPrivilegesToken, 4_2_032E2DC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C20 NtSetInformationFile, 4_2_032E2C20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E3C30 NtOpenProcessToken, 4_2_032E3C30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C10 NtOpenProcess, 4_2_032E2C10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C50 NtUnmapViewOfSection, 4_2_032E2C50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E3C90 NtOpenThread, 4_2_032E3C90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2CD0 NtEnumerateKey, 4_2_032E2CD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CF018 NtQueryInformationProcess, 4_2_035CF018
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D3908 NtSuspendThread, 4_2_035D3908
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D49D5 NtUnmapViewOfSection, 4_2_035D49D5
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D3F28 NtQueueApcThread, 4_2_035D3F28
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D460C NtMapViewOfSection, 4_2_035D460C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D35F8 NtSetContextThread, 4_2_035D35F8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D3C18 NtResumeThread, 4_2_035D3C18
Detected potential crypto function
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_02AEE1F4 0_2_02AEE1F4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_052C01C8 0_2_052C01C8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_052C01D8 0_2_052C01D8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70D20 0_2_06E70D20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71AA8 0_2_06E71AA8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E75899 0_2_06E75899
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7C875 0_2_06E7C875
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70613 0_2_06E70613
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7A5C8 0_2_06E7A5C8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7A5B8 0_2_06E7A5B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71568 0_2_06E71568
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70568 0_2_06E70568
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70559 0_2_06E70559
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E78558 0_2_06E78558
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71558 0_2_06E71558
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7C875 0_2_06E7C875
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70040 0_2_06E70040
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70006 0_2_06E70006
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E78DC8 0_2_06E78DC8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70D10 0_2_06E70D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71A98 0_2_06E71A98
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7AA00 0_2_06E7AA00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E78990 0_2_06E78990
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00418163 2_2_00418163
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004030C0 2_2_004030C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040FA7A 2_2_0040FA7A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040FA83 2_2_0040FA83
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00416340 2_2_00416340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00416343 2_2_00416343
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004024E0 2_2_004024E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040FCA3 2_2_0040FCA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040DD20 2_2_0040DD20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040DD23 2_2_0040DD23
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0042E5F3 2_2_0042E5F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040DE69 2_2_0040DE69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E717A 2_2_016E717A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173D130 2_2_0173D130
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176010E 2_2_0176010E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A51C0 2_2_016A51C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174E076 2_2_0174E076
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017570F1 2_2_017570F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AB0D0 2_2_016AB0D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016900A0 2_2_016900A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D508C 2_2_016D508C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F330 2_2_0175F330
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AE310 2_2_016AE310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175124C 2_2_0175124C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168D2EC 2_2_0168D2EC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176A526 2_2_0176A526
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017575C6 2_2_017575C6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F5C9 2_2_0175F5C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A2760 2_2_016A2760
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AA760 2_2_016AA760
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01756757 2_2_01756757
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C4670 2_2_016C4670
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174D646 2_2_0174D646
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173D62C 2_2_0173D62C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BC600 2_2_016BC600
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F6F6 2_2_0175F6F6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169C6E0 2_2_0169C6E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017136EC 2_2_017136EC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175A6C0 2_2_0175A6C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0680 2_2_016A0680
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E59C0 2_2_016E59C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169E9A0 2_2_0169E9A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175E9A6 2_2_0175E9A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01686868 2_2_01686868
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F872 2_2_0175F872
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A9870 2_2_016A9870
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB870 2_2_016BB870
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01740835 2_2_01740835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A3800 2_2_016A3800
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE810 2_2_016CE810
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017578F3 2_2_017578F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A28C0 2_2_016A28C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017518DA 2_2_017518DA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017198B2 2_2_017198B2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B6882 2_2_016B6882
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FB2E 2_2_0175FB2E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016DDB19 2_2_016DDB19
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0B10 2_2_016A0B10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01714BC0 2_2_01714BC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175EA5B 2_2_0175EA5B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175CA13 2_2_0175CA13
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BFAA0 2_2_016BFAA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FA89 2_2_0175FA89
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0D69 2_2_016A0D69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01757D4C 2_2_01757D4C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FD27 2_2_0175FD27
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169AD00 2_2_0169AD00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173FDF4 2_2_0173FDF4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A9DD0 2_2_016A9DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2DB0 2_2_016B2DB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A3C60 2_2_016A3C60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175EC60 2_2_0175EC60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01756C69 2_2_01756C69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174EC4C 2_2_0174EC4C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01690C12 2_2_01690C12
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BFCE0 2_2_016BFCE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176ACEB 2_2_0176ACEB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B8CDF 2_2_016B8CDF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01739C98 2_2_01739C98
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FF63 2_2_0175FF63
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016ACF00 2_2_016ACF00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A6FE0 2_2_016A6FE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01751FC6 2_2_01751FC6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175EFBF 2_2_0175EFBF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01740E6D 2_2_01740E6D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E2E48 2_2_016E2E48
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C0E50 2_2_016C0E50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01692EE8 2_2_01692EE8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01759ED2 2_2_01759ED2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A1EB2 2_2_016A1EB2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01750EAD 2_2_01750EAD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F330 4_2_0336F330
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BE310 4_2_032BE310
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A1380 4_2_032A1380
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336124C 4_2_0336124C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0329D2EC 4_2_0329D2EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0334D130 4_2_0334D130
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0337010E 4_2_0337010E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0329F113 4_2_0329F113
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032F717A 4_2_032F717A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CB1E0 4_2_032CB1E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B51C0 4_2_032B51C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0335E076 4_2_0335E076
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A00A0 4_2_032A00A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E508C 4_2_032E508C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033670F1 4_2_033670F1
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BB0D0 4_2_032BB0D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B2760 4_2_032B2760
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BA760 4_2_032BA760
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03366757 4_2_03366757
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0334D62C 4_2_0334D62C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CC600 4_2_032CC600
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032D4670 4_2_032D4670
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0335D646 4_2_0335D646
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0680 4_2_032B0680
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F6F6 4_2_0336F6F6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032AC6E0 4_2_032AC6E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033236EC 4_2_033236EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336A6C0 4_2_0336A6C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0337A526 4_2_0337A526
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033675C6 4_2_033675C6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F5C9 4_2_0336F5C9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0445 4_2_032B0445
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0331D480 4_2_0331D480
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FB2E 4_2_0336FB2E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032EDB19 4_2_032EDB19
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0B10 4_2_032B0B10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03324BC0 4_2_03324BC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336CA13 4_2_0336CA13
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336EA5B 4_2_0336EA5B
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CFAA0 4_2_032CFAA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FA89 4_2_0336FA89
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032AE9A0 4_2_032AE9A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336E9A6 4_2_0336E9A6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032F59C0 4_2_032F59C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03350835 4_2_03350835
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B3800 4_2_032B3800
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032DE810 4_2_032DE810
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03296868 4_2_03296868
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03325870 4_2_03325870
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F872 4_2_0336F872
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B9870 4_2_032B9870
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CB870 4_2_032CB870
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033298B2 4_2_033298B2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032C6882 4_2_032C6882
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033678F3 4_2_033678F3
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B28C0 4_2_032B28C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033618DA 4_2_033618DA
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BCF00 4_2_032BCF00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FF63 4_2_0336FF63
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336EFBF 4_2_0336EFBF
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B6FE0 4_2_032B6FE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03361FC6 4_2_03361FC6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03350E6D 4_2_03350E6D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032F2E48 4_2_032F2E48
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032D0E50 4_2_032D0E50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B1EB2 4_2_032B1EB2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03360EAD 4_2_03360EAD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A2EE8 4_2_032A2EE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03369ED2 4_2_03369ED2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FD27 4_2_0336FD27
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032AAD00 4_2_032AAD00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0D69 4_2_032B0D69
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03367D4C 4_2_03367D4C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032C2DB0 4_2_032C2DB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0334FDF4 4_2_0334FDF4
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B9DD0 4_2_032B9DD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A0C12 4_2_032A0C12
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B3C60 4_2_032B3C60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336EC60 4_2_0336EC60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03366C69 4_2_03366C69
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0335EC4C 4_2_0335EC4C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03349C98 4_2_03349C98
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CFCE0 4_2_032CFCE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03337CE8 4_2_03337CE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0337ACEB 4_2_0337ACEB
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032C8CDF 4_2_032C8CDF
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CF018 4_2_035CF018
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C038E 4_2_035C038E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CCAE8 4_2_035CCAE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CCA8A 4_2_035CCA8A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CD858 4_2_035CD858
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CE7EC 4_2_035CE7EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D552D 4_2_035D552D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CE456 4_2_035CE456
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D54BD 4_2_035D54BD
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 0329B910 appears 268 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 032F7BE4 appears 96 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 032E5050 appears 36 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 0332EF10 appears 105 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 0331E692 appears 82 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 016E7BE4 appears 88 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 0168B910 appears 266 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 0171EF10 appears 105 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 016D5050 appears 36 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 0170E692 appears 79 times
Sample file is different than original file name gathered from version info
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000000.178053213809.000000000079E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQmBB.exe@ vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000002.178186045219.00000000071F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000002.178179990818.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.000000000178D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe Binary or memory string: OriginalFilenameQmBB.exe@ vs ORIGINAL INVOICE COAU7230734293.exe
Uses 32bit PE files
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, blowsbhRT5ImjFslmA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, blowsbhRT5ImjFslmA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, blowsbhRT5ImjFslmA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORIGINAL INVOICE COAU7230734293.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Mutant created: NULL
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORIGINAL INVOICE COAU7230734293.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ORIGINAL INVOICE COAU7230734293.exe Virustotal: Detection: 47%
Source: ORIGINAL INVOICE COAU7230734293.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fhcfg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: efsutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.system.userprofile.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cloudexperiencehostbroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs .Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.3d41ea0.3.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.7820000.5.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs .Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs .Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.3d29c80.1.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: 0xE3D84D29 [Sun Feb 18 02:19:21 2091 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7EBC2 push esp; iretd 0_2_06E7EBC5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040D0CA push edi; ret 2_2_0040D0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00416166 pushfd ; iretd 2_2_004161E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00417984 push esp; iretd 2_2_0041798A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00413B46 push eax; iretd 2_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00413B62 push eax; iretd 2_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00408307 push ds; iretd 2_2_00408309
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00403330 push eax; ret 2_2_00403332
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00415C40 push ebx; ret 2_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00415C43 push ebx; ret 2_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00404D23 push esi; retf 2_2_00404D24
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00417FD0 push esp; ret 2_2_00417FD1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004187E8 push ebx; ret 2_2_004187E9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D0B3B push 43BCF294h; retf 4_2_035D0B63
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CD3C1 push ebx; retf 4_2_035CD3C2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CD2D5 push cs; iretd 4_2_035CD301
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C5173 pushad ; iretd 4_2_035C5174
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D51D2 push eax; ret 4_2_035D51D4
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CB858 push ds; retf 4_2_035CB859
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C5F4E push esi; iretd 4_2_035C5F56
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C47AF push ebx; iretd 4_2_035C47DB
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C462F pushfd ; ret 4_2_035C4644
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C5ECC push cs; iretd 4_2_035C5ED4
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C1C73 push eax; iretd 4_2_035C1C74
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: section name: .text entropy: 7.704474646443921
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, EnU8sfvnNd79P1XCuf.cs High entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, dErwtbOIhEFqxGQZhN.cs High entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs High entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, yrkxLgKYAZoa4ATwX6.cs High entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, uEeXtO4XNIBXYK2Tdev.cs High entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, DY27sNeyg9vpC1Hsyn.cs High entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, AVanS4HBACcXACtDee.cs High entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, oPNdg4YLFfdoTTjD1o.cs High entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, AyBX1DUcYNqriZ0gmj.cs High entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ywUuoN44toNNkd5Kl6f.cs High entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, jPc8BJrc4FJrw1nAjc.cs High entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, blowsbhRT5ImjFslmA.cs High entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ObalxXB7HwlS4vhIgV.cs High entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, YiP9PcVaeG93TFN1IG.cs High entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, bJt9RoCliq8g9gi4p3.cs High entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, cRres3FcRBOksLVL86.cs High entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, TqMivSL7iPXNkQJhTi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, nwYo7b4fqoaIyCCKAJW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, IGirpG1rKZUaYUMgKV.cs High entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, MqRjCA8mihMgPt3QRs.cs High entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, MZ930sz4QtWqvlUF7w.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, M9ym5dgBm7XDAGotB1.cs High entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, UnGqAipGRiiehMnM4m.cs High entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, EnU8sfvnNd79P1XCuf.cs High entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, dErwtbOIhEFqxGQZhN.cs High entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs High entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, yrkxLgKYAZoa4ATwX6.cs High entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, uEeXtO4XNIBXYK2Tdev.cs High entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, DY27sNeyg9vpC1Hsyn.cs High entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, AVanS4HBACcXACtDee.cs High entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, oPNdg4YLFfdoTTjD1o.cs High entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, AyBX1DUcYNqriZ0gmj.cs High entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ywUuoN44toNNkd5Kl6f.cs High entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, jPc8BJrc4FJrw1nAjc.cs High entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, blowsbhRT5ImjFslmA.cs High entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ObalxXB7HwlS4vhIgV.cs High entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, YiP9PcVaeG93TFN1IG.cs High entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, bJt9RoCliq8g9gi4p3.cs High entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, cRres3FcRBOksLVL86.cs High entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, TqMivSL7iPXNkQJhTi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, nwYo7b4fqoaIyCCKAJW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, IGirpG1rKZUaYUMgKV.cs High entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, MqRjCA8mihMgPt3QRs.cs High entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, MZ930sz4QtWqvlUF7w.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, M9ym5dgBm7XDAGotB1.cs High entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, UnGqAipGRiiehMnM4m.cs High entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, EnU8sfvnNd79P1XCuf.cs High entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, dErwtbOIhEFqxGQZhN.cs High entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs High entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, yrkxLgKYAZoa4ATwX6.cs High entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, uEeXtO4XNIBXYK2Tdev.cs High entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, DY27sNeyg9vpC1Hsyn.cs High entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, AVanS4HBACcXACtDee.cs High entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, oPNdg4YLFfdoTTjD1o.cs High entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, AyBX1DUcYNqriZ0gmj.cs High entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ywUuoN44toNNkd5Kl6f.cs High entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, jPc8BJrc4FJrw1nAjc.cs High entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, blowsbhRT5ImjFslmA.cs High entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ObalxXB7HwlS4vhIgV.cs High entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, YiP9PcVaeG93TFN1IG.cs High entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, bJt9RoCliq8g9gi4p3.cs High entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, cRres3FcRBOksLVL86.cs High entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, TqMivSL7iPXNkQJhTi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, nwYo7b4fqoaIyCCKAJW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, IGirpG1rKZUaYUMgKV.cs High entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, MqRjCA8mihMgPt3QRs.cs High entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, MZ930sz4QtWqvlUF7w.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, M9ym5dgBm7XDAGotB1.cs High entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, UnGqAipGRiiehMnM4m.cs High entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ORIGINAL INVOICE COAU7230734293.exe PID: 5096, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API/Special instruction interceptor: Address: 7FF90770D144
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API/Special instruction interceptor: Address: 7FF907710594
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API/Special instruction interceptor: Address: 7FF90770FF74
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API/Special instruction interceptor: Address: 7FF90770D6C4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API/Special instruction interceptor: Address: 7FF90770D864
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API/Special instruction interceptor: Address: 7FF90770D004
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D144
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF907710594
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D764
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D324
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D364
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D004
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770FF74
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D6C4
Source: C:\Windows\SysWOW64\RpcPing.exe API/Special instruction interceptor: Address: 7FF90770D864
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 2AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 2D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 2B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 7980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 8980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 8B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 9B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: 9E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: AE80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: BE80000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 rdtsc 2_2_016D1763
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\RpcPing.exe Window / User API: threadDelayed 9852 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 894 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 865 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe API coverage: 1.0 %
Source: C:\Windows\SysWOW64\RpcPing.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe TID: 5716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552 Thread sleep time: -244000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552 Thread sleep count: 9852 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552 Thread sleep time: -19704000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\RpcPing.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\RpcPing.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%; >
Source: RpcPing.exe, 00000004.00000002.180094426559.0000000002CA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2(
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000002.183151981871.000000000CDBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000CDBE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWd32.exe
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 rdtsc 2_2_016D1763
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004172F3 LdrLoadDll, 2_2_004172F3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C716D mov eax, dword ptr fs:[00000030h] 2_2_016C716D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01696179 mov eax, dword ptr fs:[00000030h] 2_2_01696179
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E717A mov eax, dword ptr fs:[00000030h] 2_2_016E717A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E717A mov eax, dword ptr fs:[00000030h] 2_2_016E717A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01763157 mov eax, dword ptr fs:[00000030h] 2_2_01763157
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01763157 mov eax, dword ptr fs:[00000030h] 2_2_01763157
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01763157 mov eax, dword ptr fs:[00000030h] 2_2_01763157
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168A147 mov eax, dword ptr fs:[00000030h] 2_2_0168A147
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168A147 mov eax, dword ptr fs:[00000030h] 2_2_0168A147
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168A147 mov eax, dword ptr fs:[00000030h] 2_2_0168A147
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C415F mov eax, dword ptr fs:[00000030h] 2_2_016C415F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172314A mov eax, dword ptr fs:[00000030h] 2_2_0172314A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172314A mov eax, dword ptr fs:[00000030h] 2_2_0172314A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172314A mov eax, dword ptr fs:[00000030h] 2_2_0172314A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172314A mov eax, dword ptr fs:[00000030h] 2_2_0172314A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01765149 mov eax, dword ptr fs:[00000030h] 2_2_01765149
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171A130 mov eax, dword ptr fs:[00000030h] 2_2_0171A130
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C7128 mov eax, dword ptr fs:[00000030h] 2_2_016C7128
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C7128 mov eax, dword ptr fs:[00000030h] 2_2_016C7128
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F13E mov eax, dword ptr fs:[00000030h] 2_2_0174F13E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B510F mov eax, dword ptr fs:[00000030h] 2_2_016B510F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169510D mov eax, dword ptr fs:[00000030h] 2_2_0169510D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C0118 mov eax, dword ptr fs:[00000030h] 2_2_016C0118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h] 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016881EB mov eax, dword ptr fs:[00000030h] 2_2_016881EB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0169A1E3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0169A1E3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0169A1E3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0169A1E3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h] 2_2_0169A1E3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h] 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016991E5 mov eax, dword ptr fs:[00000030h] 2_2_016991E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016991E5 mov eax, dword ptr fs:[00000030h] 2_2_016991E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016891F0 mov eax, dword ptr fs:[00000030h] 2_2_016891F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016891F0 mov eax, dword ptr fs:[00000030h] 2_2_016891F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017581EE mov eax, dword ptr fs:[00000030h] 2_2_017581EE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017581EE mov eax, dword ptr fs:[00000030h] 2_2_017581EE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A01F1 mov eax, dword ptr fs:[00000030h] 2_2_016A01F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A01F1 mov eax, dword ptr fs:[00000030h] 2_2_016A01F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A01F1 mov eax, dword ptr fs:[00000030h] 2_2_016A01F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF1F0 mov eax, dword ptr fs:[00000030h] 2_2_016BF1F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF1F0 mov eax, dword ptr fs:[00000030h] 2_2_016BF1F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A01C0 mov eax, dword ptr fs:[00000030h] 2_2_016A01C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A01C0 mov eax, dword ptr fs:[00000030h] 2_2_016A01C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h] 2_2_016A51C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h] 2_2_016A51C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h] 2_2_016A51C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h] 2_2_016A51C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017651B6 mov eax, dword ptr fs:[00000030h] 2_2_017651B6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE1A4 mov eax, dword ptr fs:[00000030h] 2_2_016CE1A4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE1A4 mov eax, dword ptr fs:[00000030h] 2_2_016CE1A4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C31BE mov eax, dword ptr fs:[00000030h] 2_2_016C31BE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C31BE mov eax, dword ptr fs:[00000030h] 2_2_016C31BE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C41BB mov ecx, dword ptr fs:[00000030h] 2_2_016C41BB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C41BB mov eax, dword ptr fs:[00000030h] 2_2_016C41BB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C41BB mov eax, dword ptr fs:[00000030h] 2_2_016C41BB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01694180 mov eax, dword ptr fs:[00000030h] 2_2_01694180
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01694180 mov eax, dword ptr fs:[00000030h] 2_2_01694180
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01694180 mov eax, dword ptr fs:[00000030h] 2_2_01694180
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1190 mov eax, dword ptr fs:[00000030h] 2_2_016D1190
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1190 mov eax, dword ptr fs:[00000030h] 2_2_016D1190
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B9194 mov eax, dword ptr fs:[00000030h] 2_2_016B9194
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01739060 mov eax, dword ptr fs:[00000030h] 2_2_01739060
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01697072 mov eax, dword ptr fs:[00000030h] 2_2_01697072
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01696074 mov eax, dword ptr fs:[00000030h] 2_2_01696074
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01696074 mov eax, dword ptr fs:[00000030h] 2_2_01696074
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C0044 mov eax, dword ptr fs:[00000030h] 2_2_016C0044
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176505B mov eax, dword ptr fs:[00000030h] 2_2_0176505B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691051 mov eax, dword ptr fs:[00000030h] 2_2_01691051
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691051 mov eax, dword ptr fs:[00000030h] 2_2_01691051
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168D02D mov eax, dword ptr fs:[00000030h] 2_2_0168D02D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01698009 mov eax, dword ptr fs:[00000030h] 2_2_01698009
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B5004 mov eax, dword ptr fs:[00000030h] 2_2_016B5004
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B5004 mov ecx, dword ptr fs:[00000030h] 2_2_016B5004
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2010 mov ecx, dword ptr fs:[00000030h] 2_2_016D2010
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h] 2_2_016890F8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h] 2_2_016890F8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h] 2_2_016890F8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h] 2_2_016890F8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CD0F0 mov eax, dword ptr fs:[00000030h] 2_2_016CD0F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CD0F0 mov ecx, dword ptr fs:[00000030h] 2_2_016CD0F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168C0F6 mov eax, dword ptr fs:[00000030h] 2_2_0168C0F6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AB0D0 mov eax, dword ptr fs:[00000030h] 2_2_016AB0D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h] 2_2_0168B0D6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h] 2_2_0168B0D6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h] 2_2_0168B0D6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h] 2_2_0168B0D6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017650B7 mov eax, dword ptr fs:[00000030h] 2_2_017650B7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D00A5 mov eax, dword ptr fs:[00000030h] 2_2_016D00A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0173F0A5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174B0AF mov eax, dword ptr fs:[00000030h] 2_2_0174B0AF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01764080 mov eax, dword ptr fs:[00000030h] 2_2_01764080
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168C090 mov eax, dword ptr fs:[00000030h] 2_2_0168C090
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168A093 mov ecx, dword ptr fs:[00000030h] 2_2_0168A093
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01710371 mov eax, dword ptr fs:[00000030h] 2_2_01710371
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01710371 mov eax, dword ptr fs:[00000030h] 2_2_01710371
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h] 2_2_0170E372
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h] 2_2_0170E372
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h] 2_2_0170E372
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h] 2_2_0170E372
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h] 2_2_0169B360
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h] 2_2_0169B360
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h] 2_2_0169B360
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h] 2_2_0169B360
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h] 2_2_0169B360
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h] 2_2_0169B360
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h] 2_2_016CE363
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B237A mov eax, dword ptr fs:[00000030h] 2_2_016B237A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01688347 mov eax, dword ptr fs:[00000030h] 2_2_01688347
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01688347 mov eax, dword ptr fs:[00000030h] 2_2_01688347
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01688347 mov eax, dword ptr fs:[00000030h] 2_2_01688347
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA350 mov eax, dword ptr fs:[00000030h] 2_2_016CA350
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168E328 mov eax, dword ptr fs:[00000030h] 2_2_0168E328
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168E328 mov eax, dword ptr fs:[00000030h] 2_2_0168E328
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168E328 mov eax, dword ptr fs:[00000030h] 2_2_0168E328
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01763336 mov eax, dword ptr fs:[00000030h] 2_2_01763336
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B332D mov eax, dword ptr fs:[00000030h] 2_2_016B332D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C8322 mov eax, dword ptr fs:[00000030h] 2_2_016C8322
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C8322 mov eax, dword ptr fs:[00000030h] 2_2_016C8322
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C8322 mov eax, dword ptr fs:[00000030h] 2_2_016C8322
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01689303 mov eax, dword ptr fs:[00000030h] 2_2_01689303
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01689303 mov eax, dword ptr fs:[00000030h] 2_2_01689303
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C631F mov eax, dword ptr fs:[00000030h] 2_2_016C631F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AE310 mov eax, dword ptr fs:[00000030h] 2_2_016AE310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AE310 mov eax, dword ptr fs:[00000030h] 2_2_016AE310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AE310 mov eax, dword ptr fs:[00000030h] 2_2_016AE310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171330C mov eax, dword ptr fs:[00000030h] 2_2_0171330C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171330C mov eax, dword ptr fs:[00000030h] 2_2_0171330C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171330C mov eax, dword ptr fs:[00000030h] 2_2_0171330C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171330C mov eax, dword ptr fs:[00000030h] 2_2_0171330C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F30A mov eax, dword ptr fs:[00000030h] 2_2_0174F30A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016963CB mov eax, dword ptr fs:[00000030h] 2_2_016963CB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017143D5 mov eax, dword ptr fs:[00000030h] 2_2_017143D5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168E3C0 mov eax, dword ptr fs:[00000030h] 2_2_0168E3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168E3C0 mov eax, dword ptr fs:[00000030h] 2_2_0168E3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168E3C0 mov eax, dword ptr fs:[00000030h] 2_2_0168E3C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168C3C7 mov eax, dword ptr fs:[00000030h] 2_2_0168C3C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C33D0 mov eax, dword ptr fs:[00000030h] 2_2_016C33D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C43D0 mov ecx, dword ptr fs:[00000030h] 2_2_016C43D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170C3B0 mov eax, dword ptr fs:[00000030h] 2_2_0170C3B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016993A6 mov eax, dword ptr fs:[00000030h] 2_2_016993A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016993A6 mov eax, dword ptr fs:[00000030h] 2_2_016993A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 mov eax, dword ptr fs:[00000030h] 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 mov eax, dword ptr fs:[00000030h] 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 mov eax, dword ptr fs:[00000030h] 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 mov eax, dword ptr fs:[00000030h] 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 mov eax, dword ptr fs:[00000030h] 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h] 2_2_016AF380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h] 2_2_016AF380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h] 2_2_016AF380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h] 2_2_016AF380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h] 2_2_016AF380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h] 2_2_016AF380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BA390 mov eax, dword ptr fs:[00000030h] 2_2_016BA390
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BA390 mov eax, dword ptr fs:[00000030h] 2_2_016BA390
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BA390 mov eax, dword ptr fs:[00000030h] 2_2_016BA390
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F38A mov eax, dword ptr fs:[00000030h] 2_2_0174F38A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174D270 mov eax, dword ptr fs:[00000030h] 2_2_0174D270
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172327E mov eax, dword ptr fs:[00000030h] 2_2_0172327E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172327E mov eax, dword ptr fs:[00000030h] 2_2_0172327E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172327E mov eax, dword ptr fs:[00000030h] 2_2_0172327E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172327E mov eax, dword ptr fs:[00000030h] 2_2_0172327E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172327E mov eax, dword ptr fs:[00000030h] 2_2_0172327E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0172327E mov eax, dword ptr fs:[00000030h] 2_2_0172327E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B273 mov eax, dword ptr fs:[00000030h] 2_2_0168B273
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B273 mov eax, dword ptr fs:[00000030h] 2_2_0168B273
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B273 mov eax, dword ptr fs:[00000030h] 2_2_0168B273
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF24A mov eax, dword ptr fs:[00000030h] 2_2_016BF24A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F247 mov eax, dword ptr fs:[00000030h] 2_2_0174F247
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175124C mov eax, dword ptr fs:[00000030h] 2_2_0175124C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175124C mov eax, dword ptr fs:[00000030h] 2_2_0175124C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175124C mov eax, dword ptr fs:[00000030h] 2_2_0175124C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175124C mov eax, dword ptr fs:[00000030h] 2_2_0175124C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA22B mov eax, dword ptr fs:[00000030h] 2_2_016CA22B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA22B mov eax, dword ptr fs:[00000030h] 2_2_016CA22B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA22B mov eax, dword ptr fs:[00000030h] 2_2_016CA22B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01710227 mov eax, dword ptr fs:[00000030h] 2_2_01710227
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01710227 mov eax, dword ptr fs:[00000030h] 2_2_01710227
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01710227 mov eax, dword ptr fs:[00000030h] 2_2_01710227
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B0230 mov ecx, dword ptr fs:[00000030h] 2_2_016B0230
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171B214 mov eax, dword ptr fs:[00000030h] 2_2_0171B214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171B214 mov eax, dword ptr fs:[00000030h] 2_2_0171B214
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168A200 mov eax, dword ptr fs:[00000030h] 2_2_0168A200
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168821B mov eax, dword ptr fs:[00000030h] 2_2_0168821B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168D2EC mov eax, dword ptr fs:[00000030h] 2_2_0168D2EC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168D2EC mov eax, dword ptr fs:[00000030h] 2_2_0168D2EC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016872E0 mov eax, dword ptr fs:[00000030h] 2_2_016872E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0169A2E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0169A2E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0169A2E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0169A2E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0169A2E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h] 2_2_0169A2E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h] 2_2_016982E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h] 2_2_016982E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h] 2_2_016982E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h] 2_2_016982E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h] 2_2_016A02F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C32C0 mov eax, dword ptr fs:[00000030h] 2_2_016C32C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C32C0 mov eax, dword ptr fs:[00000030h] 2_2_016C32C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B32C5 mov eax, dword ptr fs:[00000030h] 2_2_016B32C5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017632C9 mov eax, dword ptr fs:[00000030h] 2_2_017632C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B42AF mov eax, dword ptr fs:[00000030h] 2_2_016B42AF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B42AF mov eax, dword ptr fs:[00000030h] 2_2_016B42AF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016892AF mov eax, dword ptr fs:[00000030h] 2_2_016892AF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h] 2_2_0176B2BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h] 2_2_0176B2BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h] 2_2_0176B2BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h] 2_2_0176B2BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168C2B0 mov ecx, dword ptr fs:[00000030h] 2_2_0168C2B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F2AE mov eax, dword ptr fs:[00000030h] 2_2_0174F2AE
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017592AB mov eax, dword ptr fs:[00000030h] 2_2_017592AB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E289 mov eax, dword ptr fs:[00000030h] 2_2_0170E289
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01697290 mov eax, dword ptr fs:[00000030h] 2_2_01697290
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01697290 mov eax, dword ptr fs:[00000030h] 2_2_01697290
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01697290 mov eax, dword ptr fs:[00000030h] 2_2_01697290
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AC560 mov eax, dword ptr fs:[00000030h] 2_2_016AC560
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169254C mov eax, dword ptr fs:[00000030h] 2_2_0169254C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175A553 mov eax, dword ptr fs:[00000030h] 2_2_0175A553
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176B55F mov eax, dword ptr fs:[00000030h] 2_2_0176B55F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176B55F mov eax, dword ptr fs:[00000030h] 2_2_0176B55F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C6540 mov eax, dword ptr fs:[00000030h] 2_2_016C6540
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C8540 mov eax, dword ptr fs:[00000030h] 2_2_016C8540
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AE547 mov eax, dword ptr fs:[00000030h] 2_2_016AE547
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A252B mov eax, dword ptr fs:[00000030h] 2_2_016A252B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C1527 mov eax, dword ptr fs:[00000030h] 2_2_016C1527
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CF523 mov eax, dword ptr fs:[00000030h] 2_2_016CF523
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2539 mov eax, dword ptr fs:[00000030h] 2_2_016D2539
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168753F mov eax, dword ptr fs:[00000030h] 2_2_0168753F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168753F mov eax, dword ptr fs:[00000030h] 2_2_0168753F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168753F mov eax, dword ptr fs:[00000030h] 2_2_0168753F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01693536 mov eax, dword ptr fs:[00000030h] 2_2_01693536
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01693536 mov eax, dword ptr fs:[00000030h] 2_2_01693536
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CC50D mov eax, dword ptr fs:[00000030h] 2_2_016CC50D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CC50D mov eax, dword ptr fs:[00000030h] 2_2_016CC50D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov ecx, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov ecx, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h] 2_2_0173F51B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01692500 mov eax, dword ptr fs:[00000030h] 2_2_01692500
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B502 mov eax, dword ptr fs:[00000030h] 2_2_0168B502
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171C51D mov eax, dword ptr fs:[00000030h] 2_2_0171C51D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h] 2_2_016BE507
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h] 2_2_016B1514
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h] 2_2_016B1514
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h] 2_2_016B1514
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h] 2_2_016B1514
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h] 2_2_016B1514
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h] 2_2_016B1514
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C15EF mov eax, dword ptr fs:[00000030h] 2_2_016C15EF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h] 2_2_0169B5E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h] 2_2_0169B5E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h] 2_2_0169B5E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h] 2_2_0169B5E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h] 2_2_0169B5E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h] 2_2_0169B5E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA5E7 mov ebx, dword ptr fs:[00000030h] 2_2_016CA5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA5E7 mov eax, dword ptr fs:[00000030h] 2_2_016CA5E7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171C5FC mov eax, dword ptr fs:[00000030h] 2_2_0171C5FC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CC5C6 mov eax, dword ptr fs:[00000030h] 2_2_016CC5C6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h] 2_2_0168F5C7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017105C6 mov eax, dword ptr fs:[00000030h] 2_2_017105C6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C65D0 mov eax, dword ptr fs:[00000030h] 2_2_016C65D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016945B0 mov eax, dword ptr fs:[00000030h] 2_2_016945B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016945B0 mov eax, dword ptr fs:[00000030h] 2_2_016945B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017185AA mov eax, dword ptr fs:[00000030h] 2_2_017185AA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171C592 mov eax, dword ptr fs:[00000030h] 2_2_0171C592
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C9580 mov eax, dword ptr fs:[00000030h] 2_2_016C9580
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C9580 mov eax, dword ptr fs:[00000030h] 2_2_016C9580
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA580 mov eax, dword ptr fs:[00000030h] 2_2_016CA580
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA580 mov eax, dword ptr fs:[00000030h] 2_2_016CA580
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F582 mov eax, dword ptr fs:[00000030h] 2_2_0174F582
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E588 mov eax, dword ptr fs:[00000030h] 2_2_0170E588
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0170E588 mov eax, dword ptr fs:[00000030h] 2_2_0170E588
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C2594 mov eax, dword ptr fs:[00000030h] 2_2_016C2594
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F478 mov eax, dword ptr fs:[00000030h] 2_2_0174F478
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175A464 mov eax, dword ptr fs:[00000030h] 2_2_0175A464
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01698470 mov eax, dword ptr fs:[00000030h] 2_2_01698470
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01698470 mov eax, dword ptr fs:[00000030h] 2_2_01698470
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h] 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h] 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h] 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h] 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h] 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h] 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h] 2_2_016BE45E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h] 2_2_016BE45E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h] 2_2_016BE45E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h] 2_2_016BE45E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h] 2_2_016BE45E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CD450 mov eax, dword ptr fs:[00000030h] 2_2_016CD450
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CD450 mov eax, dword ptr fs:[00000030h] 2_2_016CD450
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h] 2_2_0169D454
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h] 2_2_0169D454
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h] 2_2_0169D454
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h] 2_2_0169D454
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h] 2_2_0169D454
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h] 2_2_0169D454
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B420 mov eax, dword ptr fs:[00000030h] 2_2_0168B420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C7425 mov eax, dword ptr fs:[00000030h] 2_2_016C7425
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C7425 mov ecx, dword ptr fs:[00000030h] 2_2_016C7425
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01719429 mov eax, dword ptr fs:[00000030h] 2_2_01719429
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h] 2_2_0171F42F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h] 2_2_0171F42F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h] 2_2_0171F42F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h] 2_2_0171F42F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h] 2_2_0171F42F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168640D mov eax, dword ptr fs:[00000030h] 2_2_0168640D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01726400 mov eax, dword ptr fs:[00000030h] 2_2_01726400
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01726400 mov eax, dword ptr fs:[00000030h] 2_2_01726400
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F409 mov eax, dword ptr fs:[00000030h] 2_2_0174F409
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE4EF mov eax, dword ptr fs:[00000030h] 2_2_016CE4EF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE4EF mov eax, dword ptr fs:[00000030h] 2_2_016CE4EF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F4FD mov eax, dword ptr fs:[00000030h] 2_2_0174F4FD
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C54E0 mov eax, dword ptr fs:[00000030h] 2_2_016C54E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B94FA mov eax, dword ptr fs:[00000030h] 2_2_016B94FA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016964F0 mov eax, dword ptr fs:[00000030h] 2_2_016964F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA4F0 mov eax, dword ptr fs:[00000030h] 2_2_016CA4F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA4F0 mov eax, dword ptr fs:[00000030h] 2_2_016CA4F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h] 2_2_016B14C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h] 2_2_016B14C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h] 2_2_016B14C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h] 2_2_016B14C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h] 2_2_016B14C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B44D1 mov eax, dword ptr fs:[00000030h] 2_2_016B44D1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B44D1 mov eax, dword ptr fs:[00000030h] 2_2_016B44D1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h] 2_2_016BF4D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C44A8 mov eax, dword ptr fs:[00000030h] 2_2_016C44A8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016924A2 mov eax, dword ptr fs:[00000030h] 2_2_016924A2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016924A2 mov ecx, dword ptr fs:[00000030h] 2_2_016924A2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE4BC mov eax, dword ptr fs:[00000030h] 2_2_016CE4BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171D4A0 mov ecx, dword ptr fs:[00000030h] 2_2_0171D4A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171D4A0 mov eax, dword ptr fs:[00000030h] 2_2_0171D4A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171D4A0 mov eax, dword ptr fs:[00000030h] 2_2_0171D4A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0171C490 mov eax, dword ptr fs:[00000030h] 2_2_0171C490
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C648A mov eax, dword ptr fs:[00000030h] 2_2_016C648A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C648A mov eax, dword ptr fs:[00000030h] 2_2_016C648A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C648A mov eax, dword ptr fs:[00000030h] 2_2_016C648A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01690485 mov ecx, dword ptr fs:[00000030h] 2_2_01690485
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CB490 mov eax, dword ptr fs:[00000030h] 2_2_016CB490
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CB490 mov eax, dword ptr fs:[00000030h] 2_2_016CB490
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A2760 mov ecx, dword ptr fs:[00000030h] 2_2_016A2760
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h] 2_2_016D1763
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h] 2_2_016D1763
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h] 2_2_016D1763
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h] 2_2_016D1763
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h] 2_2_016D1763
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h] 2_2_016D1763
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01694779 mov eax, dword ptr fs:[00000030h] 2_2_01694779
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01694779 mov eax, dword ptr fs:[00000030h] 2_2_01694779
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C0774 mov eax, dword ptr fs:[00000030h] 2_2_016C0774
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173E750 mov eax, dword ptr fs:[00000030h] 2_2_0173E750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C174A mov eax, dword ptr fs:[00000030h] 2_2_016C174A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C3740 mov eax, dword ptr fs:[00000030h] 2_2_016C3740
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h] 2_2_0168F75B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CA750 mov eax, dword ptr fs:[00000030h] 2_2_016CA750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h] 2_2_016B2755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h] 2_2_016B2755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h] 2_2_016B2755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2755 mov ecx, dword ptr fs:[00000030h] 2_2_016B2755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h] 2_2_016B2755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h] 2_2_016B2755
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B9723 mov eax, dword ptr fs:[00000030h] 2_2_016B9723
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F717 mov eax, dword ptr fs:[00000030h] 2_2_0174F717
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B270D mov eax, dword ptr fs:[00000030h] 2_2_016B270D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B270D mov eax, dword ptr fs:[00000030h] 2_2_016B270D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B270D mov eax, dword ptr fs:[00000030h] 2_2_016B270D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169D700 mov ecx, dword ptr fs:[00000030h] 2_2_0169D700
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h] 2_2_0168B705
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h] 2_2_0168B705
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h] 2_2_0168B705
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h] 2_2_0168B705
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169471B mov eax, dword ptr fs:[00000030h] 2_2_0169471B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169471B mov eax, dword ptr fs:[00000030h] 2_2_0169471B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175970B mov eax, dword ptr fs:[00000030h] 2_2_0175970B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175970B mov eax, dword ptr fs:[00000030h] 2_2_0175970B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BE7E0 mov eax, dword ptr fs:[00000030h] 2_2_016BE7E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h] 2_2_016937E4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016977F9 mov eax, dword ptr fs:[00000030h] 2_2_016977F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016977F9 mov eax, dword ptr fs:[00000030h] 2_2_016977F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174F7CF mov eax, dword ptr fs:[00000030h] 2_2_0174F7CF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017617BC mov eax, dword ptr fs:[00000030h] 2_2_017617BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016907A7 mov eax, dword ptr fs:[00000030h] 2_2_016907A7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175D7A7 mov eax, dword ptr fs:[00000030h] 2_2_0175D7A7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtClose: Direct from: 0x7FF8D33E9E7F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x4767F1D Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe NtClose: Indirect: 0x19BF629
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtResumeThread: Direct from: 0x476816B Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe NtQueueApcThread: Indirect: 0x19BF598 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x476FC82 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe NtSuspendThread: Indirect: 0x19C3ADD Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe NtResumeThread: Indirect: 0x19C3DED Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x7FF9076C2651 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe NtSetContextThread: Indirect: 0x19C37CD Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Memory written: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: NULL target: C:\Windows\SysWOW64\RpcPing.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Thread register set: target process: 7608 Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Thread register set: target process: 7608 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe" Jump to behavior
Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018185324.0000000000B81000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180020314207.00000000041C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180017693905.0000000000573000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018185324.0000000000B81000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000003.180694225109.0000000002A1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180018765273.0000000002A1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183140110315.0000000002A1E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndmQX#
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Queries volume information: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523776 Sample: ORIGINAL INVOICE COAU723073... Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected FormBook 2->32 34 4 other signatures 2->34 9 ORIGINAL INVOICE COAU7230734293.exe 3 2->9         started        process3 file4 24 ORIGINAL INVOICE COAU7230734293.exe.log, ASCII 9->24 dropped 42 Injects a PE file into a foreign processes 9->42 13 ORIGINAL INVOICE COAU7230734293.exe 9->13         started        signatures5 process6 signatures7 44 Modifies the context of a thread in another process (thread injection) 13->44 46 Maps a DLL or memory area into another process 13->46 48 Queues an APC in another process (thread injection) 13->48 50 Found direct / indirect Syscall (likely to bypass EDR) 13->50 16 RAVCpl64.exe 13->16 injected process8 signatures9 26 Found direct / indirect Syscall (likely to bypass EDR) 16->26 19 RpcPing.exe 16->19         started        process10 signatures11 36 Modifies the context of a thread in another process (thread injection) 19->36 38 Maps a DLL or memory area into another process 19->38 40 Switches to a custom stack to bypass stack traces 19->40 22 explorer.exe 57 1 19->22 injected process12
No contacted IP infos