Windows Analysis Report
ORIGINAL INVOICE COAU7230734293.exe

Overview

General Information

Sample name: ORIGINAL INVOICE COAU7230734293.exe
Analysis ID: 1523776
MD5: f6c2a4c4d05e7b76e17a5a7a191ddeb1
SHA1: 0d93776c5acfa7bb9a2ed5bc3ca46e0a525fa6bd
SHA256: ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: ORIGINAL INVOICE COAU7230734293.exe Virustotal: Detection: 47% Perma Link
Source: ORIGINAL INVOICE COAU7230734293.exe ReversingLabs: Detection: 57%
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 4x nop then jmp 06E7C994h 0_2_06E7D04B
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4x nop then mov ebx, 00000004h 4_2_035C04DE
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000002.183147375227.0000000009450000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018627893.00000000029E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180024198807.000000000A030000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000005.00000000.180022424107.0000000008FBA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145776732.0000000008FBA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmB
Source: explorer.exe, 00000005.00000000.180026117504.000000000CBF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183150949902.000000000CBF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/(
Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/P
Source: explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBAD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?$
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=30839BE1E99742A69F7CECEEBE3BA9D0&timeOut=5000&oc
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000003.180692273783.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180022524216.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145919952.0000000009084000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comL
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
Source: explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/greenup.svg
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/reddown.svg
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.svg
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/hot.svg
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W02_Most
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comrl
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1gKAgr.img
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l47N2.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBERG9W.img
Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=22fac781-5ff2-4c5e-9dca-d6b3
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000005.00000000.180028656269.000000000D1F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D1F5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEM
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/lifestyle/truth-behind-5-unconventional-self-care-rituals-have-gone-viral-tiktok
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/stories
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comA3
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/cooking/best-road-trip-snacks/
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/food-news/net-worth-guy-fieri/
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.delish.com/restaurants/g33388878/diners-drive-ins-and-dives-restaurant-rules/
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/happy-national-taco-day-here-are-the-best-deals-for-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accor
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-t
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/relationships/my-dad-was-gay-but-married-to-my-mom-for-64-years-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/iphone-16-first-look-while-we-wait-for-apple-intelligen
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/colorado-legally-requires-businesses-to-accept-cash-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michigan
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/retirement/americans-have-just-weeks-left-until-new-social-security-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/it-s-not-taxed-at-all-warren-buffett-shared-the-b
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/rich-young-americans-are-ditching-the-stormy-stoc
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/technology/new-tandem-solar-cells-break-efficiency-record-they-could
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/movies/news/all-37-new-movies-dropping-on-netflix-today/ss-AA1rxnU9
Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-you
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-hai
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/nvidia-hopes-lightning-will-strike-twice-as-it-aims-to-cor
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/spacex-set-to-launch-billionaire-s-private-crew-on-breakth
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-record-breaking-bass-has-been-caught-in-a-texas-lake/ss-AA1qf3tz
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/john-amos-patriarch-on-good-times-and-an-emmy-nominee-for-the-bloc
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aid
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barne
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-ol
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/can-t-miss-play-vintage-rodgers-jets-qb-gashes-49ers-for-36-y
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/global-entry-vs-tsa-precheck-which-prescreen-will-get-you-thro
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/reacher-spinoff-the-untitled-neagley-project-starring-maria-sten-s
Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxvcmlkYS
Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxv
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/tropical-storm-francine-spaghetti-models-show-3-states-
Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.pollensense.com/

E-Banking Fraud

barindex
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: initial sample Static PE information: Filename: ORIGINAL INVOICE COAU7230734293.exe
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0042BFF3 NtClose, 2_2_0042BFF3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D34E0 NtCreateMutant,LdrInitializeThunk, 2_2_016D34E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2BC0 NtQueryInformationToken,LdrInitializeThunk, 2_2_016D2BC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B90 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_016D2B90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2A80 NtClose,LdrInitializeThunk, 2_2_016D2A80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2D10 NtQuerySystemInformation,LdrInitializeThunk, 2_2_016D2D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2EB0 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_016D2EB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D4260 NtSetContextThread, 2_2_016D4260
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D4570 NtSuspendThread, 2_2_016D4570
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D29F0 NtReadFile, 2_2_016D29F0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D29D0 NtWaitForSingleObject, 2_2_016D29D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D38D0 NtGetContextThread, 2_2_016D38D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B20 NtQueryInformationProcess, 2_2_016D2B20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B00 NtQueryValueKey, 2_2_016D2B00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B10 NtAllocateVirtualMemory, 2_2_016D2B10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2BE0 NtQueryVirtualMemory, 2_2_016D2BE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2B80 NtCreateKey, 2_2_016D2B80
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2A10 NtWriteFile, 2_2_016D2A10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2AC0 NtEnumerateValueKey, 2_2_016D2AC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2AA0 NtQueryInformationFile, 2_2_016D2AA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2D50 NtWriteVirtualMemory, 2_2_016D2D50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2DC0 NtAdjustPrivilegesToken, 2_2_016D2DC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2DA0 NtReadVirtualMemory, 2_2_016D2DA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C50 NtUnmapViewOfSection, 2_2_016D2C50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C20 NtSetInformationFile, 2_2_016D2C20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C30 NtMapViewOfSection, 2_2_016D2C30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D3C30 NtOpenProcessToken, 2_2_016D3C30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2C10 NtOpenProcess, 2_2_016D2C10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2CF0 NtDelayExecution, 2_2_016D2CF0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2CD0 NtEnumerateKey, 2_2_016D2CD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D3C90 NtOpenThread, 2_2_016D3C90
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2F30 NtOpenDirectoryObject, 2_2_016D2F30
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2F00 NtCreateFile, 2_2_016D2F00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2FB0 NtSetValueKey, 2_2_016D2FB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2E50 NtCreateSection, 2_2_016D2E50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2E00 NtQueueApcThread, 2_2_016D2E00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2EC0 NtQuerySection, 2_2_016D2EC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2ED0 NtResumeThread, 2_2_016D2ED0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D2E80 NtCreateProcessEx, 2_2_016D2E80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E34E0 NtCreateMutant,LdrInitializeThunk, 4_2_032E34E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B00 NtQueryValueKey,LdrInitializeThunk, 4_2_032E2B00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B10 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_032E2B10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B80 NtCreateKey,LdrInitializeThunk, 4_2_032E2B80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B90 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_032E2B90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2BC0 NtQueryInformationToken,LdrInitializeThunk, 4_2_032E2BC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2A80 NtClose,LdrInitializeThunk, 4_2_032E2A80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E29F0 NtReadFile,LdrInitializeThunk, 4_2_032E29F0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2F00 NtCreateFile,LdrInitializeThunk, 4_2_032E2F00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2E50 NtCreateSection,LdrInitializeThunk, 4_2_032E2E50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2D10 NtQuerySystemInformation,LdrInitializeThunk, 4_2_032E2D10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C30 NtMapViewOfSection,LdrInitializeThunk, 4_2_032E2C30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2CF0 NtDelayExecution,LdrInitializeThunk, 4_2_032E2CF0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E4260 NtSetContextThread, 4_2_032E4260
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E4570 NtSuspendThread, 4_2_032E4570
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2B20 NtQueryInformationProcess, 4_2_032E2B20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2BE0 NtQueryVirtualMemory, 4_2_032E2BE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2A10 NtWriteFile, 4_2_032E2A10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2AA0 NtQueryInformationFile, 4_2_032E2AA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2AC0 NtEnumerateValueKey, 4_2_032E2AC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E29D0 NtWaitForSingleObject, 4_2_032E29D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E38D0 NtGetContextThread, 4_2_032E38D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2F30 NtOpenDirectoryObject, 4_2_032E2F30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2FB0 NtSetValueKey, 4_2_032E2FB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2E00 NtQueueApcThread, 4_2_032E2E00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2EB0 NtProtectVirtualMemory, 4_2_032E2EB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2E80 NtCreateProcessEx, 4_2_032E2E80
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2EC0 NtQuerySection, 4_2_032E2EC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2ED0 NtResumeThread, 4_2_032E2ED0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2D50 NtWriteVirtualMemory, 4_2_032E2D50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2DA0 NtReadVirtualMemory, 4_2_032E2DA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2DC0 NtAdjustPrivilegesToken, 4_2_032E2DC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C20 NtSetInformationFile, 4_2_032E2C20
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E3C30 NtOpenProcessToken, 4_2_032E3C30
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C10 NtOpenProcess, 4_2_032E2C10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2C50 NtUnmapViewOfSection, 4_2_032E2C50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E3C90 NtOpenThread, 4_2_032E3C90
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E2CD0 NtEnumerateKey, 4_2_032E2CD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CF018 NtQueryInformationProcess, 4_2_035CF018
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D3908 NtSuspendThread, 4_2_035D3908
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D49D5 NtUnmapViewOfSection, 4_2_035D49D5
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D3F28 NtQueueApcThread, 4_2_035D3F28
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D460C NtMapViewOfSection, 4_2_035D460C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D35F8 NtSetContextThread, 4_2_035D35F8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D3C18 NtResumeThread, 4_2_035D3C18
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_02AEE1F4 0_2_02AEE1F4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_052C01C8 0_2_052C01C8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_052C01D8 0_2_052C01D8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70D20 0_2_06E70D20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71AA8 0_2_06E71AA8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E75899 0_2_06E75899
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7C875 0_2_06E7C875
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70613 0_2_06E70613
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7A5C8 0_2_06E7A5C8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7A5B8 0_2_06E7A5B8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71568 0_2_06E71568
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70568 0_2_06E70568
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70559 0_2_06E70559
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E78558 0_2_06E78558
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71558 0_2_06E71558
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7C875 0_2_06E7C875
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70040 0_2_06E70040
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70006 0_2_06E70006
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E78DC8 0_2_06E78DC8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E70D10 0_2_06E70D10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E71A98 0_2_06E71A98
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7AA00 0_2_06E7AA00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E78990 0_2_06E78990
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00418163 2_2_00418163
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004030C0 2_2_004030C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040FA7A 2_2_0040FA7A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040FA83 2_2_0040FA83
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00416340 2_2_00416340
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00416343 2_2_00416343
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004024E0 2_2_004024E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040FCA3 2_2_0040FCA3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040DD20 2_2_0040DD20
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040DD23 2_2_0040DD23
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0042E5F3 2_2_0042E5F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040DE69 2_2_0040DE69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E717A 2_2_016E717A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173D130 2_2_0173D130
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176010E 2_2_0176010E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168F113 2_2_0168F113
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB1E0 2_2_016BB1E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A51C0 2_2_016A51C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174E076 2_2_0174E076
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017570F1 2_2_017570F1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AB0D0 2_2_016AB0D0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016900A0 2_2_016900A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016D508C 2_2_016D508C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F330 2_2_0175F330
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AE310 2_2_016AE310
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01691380 2_2_01691380
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175124C 2_2_0175124C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0168D2EC 2_2_0168D2EC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176A526 2_2_0176A526
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017575C6 2_2_017575C6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F5C9 2_2_0175F5C9
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0445 2_2_016A0445
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A2760 2_2_016A2760
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016AA760 2_2_016AA760
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01756757 2_2_01756757
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C4670 2_2_016C4670
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174D646 2_2_0174D646
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173D62C 2_2_0173D62C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BC600 2_2_016BC600
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F6F6 2_2_0175F6F6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169C6E0 2_2_0169C6E0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017136EC 2_2_017136EC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175A6C0 2_2_0175A6C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0680 2_2_016A0680
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E59C0 2_2_016E59C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169E9A0 2_2_0169E9A0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175E9A6 2_2_0175E9A6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01686868 2_2_01686868
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175F872 2_2_0175F872
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A9870 2_2_016A9870
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BB870 2_2_016BB870
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01740835 2_2_01740835
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A3800 2_2_016A3800
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016CE810 2_2_016CE810
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017578F3 2_2_017578F3
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A28C0 2_2_016A28C0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017518DA 2_2_017518DA
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_017198B2 2_2_017198B2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B6882 2_2_016B6882
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FB2E 2_2_0175FB2E
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016DDB19 2_2_016DDB19
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0B10 2_2_016A0B10
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01714BC0 2_2_01714BC0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175EA5B 2_2_0175EA5B
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175CA13 2_2_0175CA13
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BFAA0 2_2_016BFAA0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FA89 2_2_0175FA89
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A0D69 2_2_016A0D69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01757D4C 2_2_01757D4C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FD27 2_2_0175FD27
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0169AD00 2_2_0169AD00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0173FDF4 2_2_0173FDF4
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A9DD0 2_2_016A9DD0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B2DB0 2_2_016B2DB0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A3C60 2_2_016A3C60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175EC60 2_2_0175EC60
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01756C69 2_2_01756C69
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0174EC4C 2_2_0174EC4C
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01690C12 2_2_01690C12
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016BFCE0 2_2_016BFCE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0176ACEB 2_2_0176ACEB
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016B8CDF 2_2_016B8CDF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01739C98 2_2_01739C98
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175FF63 2_2_0175FF63
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016ACF00 2_2_016ACF00
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A6FE0 2_2_016A6FE0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01751FC6 2_2_01751FC6
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0175EFBF 2_2_0175EFBF
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01740E6D 2_2_01740E6D
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016E2E48 2_2_016E2E48
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016C0E50 2_2_016C0E50
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01692EE8 2_2_01692EE8
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01759ED2 2_2_01759ED2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_016A1EB2 2_2_016A1EB2
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_01750EAD 2_2_01750EAD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F330 4_2_0336F330
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BE310 4_2_032BE310
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A1380 4_2_032A1380
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336124C 4_2_0336124C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0329D2EC 4_2_0329D2EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0334D130 4_2_0334D130
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0337010E 4_2_0337010E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0329F113 4_2_0329F113
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032F717A 4_2_032F717A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CB1E0 4_2_032CB1E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B51C0 4_2_032B51C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0335E076 4_2_0335E076
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A00A0 4_2_032A00A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032E508C 4_2_032E508C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033670F1 4_2_033670F1
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BB0D0 4_2_032BB0D0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B2760 4_2_032B2760
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BA760 4_2_032BA760
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03366757 4_2_03366757
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0334D62C 4_2_0334D62C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CC600 4_2_032CC600
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032D4670 4_2_032D4670
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0335D646 4_2_0335D646
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0680 4_2_032B0680
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F6F6 4_2_0336F6F6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032AC6E0 4_2_032AC6E0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033236EC 4_2_033236EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336A6C0 4_2_0336A6C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0337A526 4_2_0337A526
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033675C6 4_2_033675C6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F5C9 4_2_0336F5C9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0445 4_2_032B0445
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0331D480 4_2_0331D480
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FB2E 4_2_0336FB2E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032EDB19 4_2_032EDB19
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0B10 4_2_032B0B10
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03324BC0 4_2_03324BC0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336CA13 4_2_0336CA13
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336EA5B 4_2_0336EA5B
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CFAA0 4_2_032CFAA0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FA89 4_2_0336FA89
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032AE9A0 4_2_032AE9A0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336E9A6 4_2_0336E9A6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032F59C0 4_2_032F59C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03350835 4_2_03350835
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B3800 4_2_032B3800
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032DE810 4_2_032DE810
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03296868 4_2_03296868
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03325870 4_2_03325870
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336F872 4_2_0336F872
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B9870 4_2_032B9870
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CB870 4_2_032CB870
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033298B2 4_2_033298B2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032C6882 4_2_032C6882
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033678F3 4_2_033678F3
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B28C0 4_2_032B28C0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_033618DA 4_2_033618DA
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032BCF00 4_2_032BCF00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FF63 4_2_0336FF63
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336EFBF 4_2_0336EFBF
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B6FE0 4_2_032B6FE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03361FC6 4_2_03361FC6
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03350E6D 4_2_03350E6D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032F2E48 4_2_032F2E48
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032D0E50 4_2_032D0E50
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B1EB2 4_2_032B1EB2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03360EAD 4_2_03360EAD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A2EE8 4_2_032A2EE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03369ED2 4_2_03369ED2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336FD27 4_2_0336FD27
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032AAD00 4_2_032AAD00
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B0D69 4_2_032B0D69
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03367D4C 4_2_03367D4C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032C2DB0 4_2_032C2DB0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0334FDF4 4_2_0334FDF4
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B9DD0 4_2_032B9DD0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032A0C12 4_2_032A0C12
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032B3C60 4_2_032B3C60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0336EC60 4_2_0336EC60
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03366C69 4_2_03366C69
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0335EC4C 4_2_0335EC4C
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03349C98 4_2_03349C98
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032CFCE0 4_2_032CFCE0
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_03337CE8 4_2_03337CE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_0337ACEB 4_2_0337ACEB
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_032C8CDF 4_2_032C8CDF
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CF018 4_2_035CF018
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C038E 4_2_035C038E
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CCAE8 4_2_035CCAE8
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CCA8A 4_2_035CCA8A
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CD858 4_2_035CD858
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CE7EC 4_2_035CE7EC
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D552D 4_2_035D552D
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CE456 4_2_035CE456
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D54BD 4_2_035D54BD
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 0329B910 appears 268 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 032F7BE4 appears 96 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 032E5050 appears 36 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 0332EF10 appears 105 times
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: String function: 0331E692 appears 82 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 016E7BE4 appears 88 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 0168B910 appears 266 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 0171EF10 appears 105 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 016D5050 appears 36 times
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: String function: 0170E692 appears 79 times
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000000.178053213809.000000000079E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQmBB.exe@ vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000002.178186045219.00000000071F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000002.178179990818.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.000000000178D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRpcPing.exej% vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe Binary or memory string: OriginalFilenameQmBB.exe@ vs ORIGINAL INVOICE COAU7230734293.exe
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, blowsbhRT5ImjFslmA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, blowsbhRT5ImjFslmA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.SetAccessControl
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs Security API names: _0020.AddAccessRule
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, blowsbhRT5ImjFslmA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORIGINAL INVOICE COAU7230734293.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Mutant created: NULL
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORIGINAL INVOICE COAU7230734293.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ORIGINAL INVOICE COAU7230734293.exe Virustotal: Detection: 47%
Source: ORIGINAL INVOICE COAU7230734293.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\RpcPing.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fhcfg.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: efsutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.system.userprofile.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cloudexperiencehostbroker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs .Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.3d41ea0.3.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.7820000.5.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs .Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs .Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.3d29c80.1.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: 0xE3D84D29 [Sun Feb 18 02:19:21 2091 UTC]
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 0_2_06E7EBC2 push esp; iretd 0_2_06E7EBC5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_0040D0CA push edi; ret 2_2_0040D0CC
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00416166 pushfd ; iretd 2_2_004161E5
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00417984 push esp; iretd 2_2_0041798A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00413B46 push eax; iretd 2_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00413B62 push eax; iretd 2_2_00413B71
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00408307 push ds; iretd 2_2_00408309
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00403330 push eax; ret 2_2_00403332
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00415C40 push ebx; ret 2_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00415C43 push ebx; ret 2_2_00415C6A
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00404D23 push esi; retf 2_2_00404D24
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_00417FD0 push esp; ret 2_2_00417FD1
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Code function: 2_2_004187E8 push ebx; ret 2_2_004187E9
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D0B3B push 43BCF294h; retf 4_2_035D0B63
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CD3C1 push ebx; retf 4_2_035CD3C2
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CD2D5 push cs; iretd 4_2_035CD301
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C5173 pushad ; iretd 4_2_035C5174
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035D51D2 push eax; ret 4_2_035D51D4
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035CB858 push ds; retf 4_2_035CB859
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C5F4E push esi; iretd 4_2_035C5F56
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C47AF push ebx; iretd 4_2_035C47DB
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C462F pushfd ; ret 4_2_035C4644
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C5ECC push cs; iretd 4_2_035C5ED4
Source: C:\Windows\SysWOW64\RpcPing.exe Code function: 4_2_035C1C73 push eax; iretd 4_2_035C1C74
Source: ORIGINAL INVOICE COAU7230734293.exe Static PE information: section name: .text entropy: 7.704474646443921
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, EnU8sfvnNd79P1XCuf.cs High entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, dErwtbOIhEFqxGQZhN.cs High entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs High entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, yrkxLgKYAZoa4ATwX6.cs High entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, uEeXtO4XNIBXYK2Tdev.cs High entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, DY27sNeyg9vpC1Hsyn.cs High entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, AVanS4HBACcXACtDee.cs High entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, oPNdg4YLFfdoTTjD1o.cs High entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, AyBX1DUcYNqriZ0gmj.cs High entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ywUuoN44toNNkd5Kl6f.cs High entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, jPc8BJrc4FJrw1nAjc.cs High entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, blowsbhRT5ImjFslmA.cs High entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ObalxXB7HwlS4vhIgV.cs High entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, YiP9PcVaeG93TFN1IG.cs High entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, bJt9RoCliq8g9gi4p3.cs High entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, cRres3FcRBOksLVL86.cs High entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, TqMivSL7iPXNkQJhTi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, nwYo7b4fqoaIyCCKAJW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, IGirpG1rKZUaYUMgKV.cs High entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, MqRjCA8mihMgPt3QRs.cs High entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, MZ930sz4QtWqvlUF7w.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, M9ym5dgBm7XDAGotB1.cs High entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, UnGqAipGRiiehMnM4m.cs High entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, EnU8sfvnNd79P1XCuf.cs High entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, dErwtbOIhEFqxGQZhN.cs High entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs High entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, yrkxLgKYAZoa4ATwX6.cs High entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, uEeXtO4XNIBXYK2Tdev.cs High entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, DY27sNeyg9vpC1Hsyn.cs High entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, AVanS4HBACcXACtDee.cs High entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, oPNdg4YLFfdoTTjD1o.cs High entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, AyBX1DUcYNqriZ0gmj.cs High entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ywUuoN44toNNkd5Kl6f.cs High entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, jPc8BJrc4FJrw1nAjc.cs High entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, blowsbhRT5ImjFslmA.cs High entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ObalxXB7HwlS4vhIgV.cs High entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, YiP9PcVaeG93TFN1IG.cs High entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, bJt9RoCliq8g9gi4p3.cs High entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, cRres3FcRBOksLVL86.cs High entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, TqMivSL7iPXNkQJhTi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, nwYo7b4fqoaIyCCKAJW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, IGirpG1rKZUaYUMgKV.cs High entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, MqRjCA8mihMgPt3QRs.cs High entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, MZ930sz4QtWqvlUF7w.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, M9ym5dgBm7XDAGotB1.cs High entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, UnGqAipGRiiehMnM4m.cs High entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, EnU8sfvnNd79P1XCuf.cs High entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, dErwtbOIhEFqxGQZhN.cs High entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs High entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, yrkxLgKYAZoa4ATwX6.cs High entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, uEeXtO4XNIBXYK2Tdev.cs High entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, DY27sNeyg9vpC1Hsyn.cs High entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, AVanS4HBACcXACtDee.cs High entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, oPNdg4YLFfdoTTjD1o.cs High entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, AyBX1DUcYNqriZ0gmj.cs High entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ywUuoN44toNNkd5Kl6f.cs High entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, jPc8BJrc4FJrw1nAjc.cs High entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, blowsbhRT5ImjFslmA.cs High entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ObalxXB7HwlS4vhIgV.cs High entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, YiP9PcVaeG93TFN1IG.cs High entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, bJt9RoCliq8g9gi4p3.cs High entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, cRres3FcRBOksLVL86.cs High entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, TqMivSL7iPXNkQJhTi.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, nwYo7b4fqoaIyCCKAJW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, IGirpG1rKZUaYUMgKV.cs High entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, MqRjCA8mihMgPt3QRs.cs High entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, MZ930sz4QtWqvlUF7w.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, M9ym5dgBm7XDAGotB1.cs High entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, UnGqAipGRiiehMnM4m.cs High entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe Process inf