Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORIGINAL INVOICE COAU7230734293.exe

Overview

General Information

Sample name:ORIGINAL INVOICE COAU7230734293.exe
Analysis ID:1523776
MD5:f6c2a4c4d05e7b76e17a5a7a191ddeb1
SHA1:0d93776c5acfa7bb9a2ed5bc3ca46e0a525fa6bd
SHA256:ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64native
  • ORIGINAL INVOICE COAU7230734293.exe (PID: 5096 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" MD5: F6C2A4C4D05E7B76E17A5A7A191DDEB1)
    • ORIGINAL INVOICE COAU7230734293.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" MD5: F6C2A4C4D05E7B76E17A5A7A191DDEB1)
      • RAVCpl64.exe (PID: 7608 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • RpcPing.exe (PID: 5808 cmdline: "C:\Windows\SysWOW64\RpcPing.exe" MD5: F7DD5764D96A988F0CF9DD4813751473)
          • explorer.exe (PID: 5072 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16fd2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 4 entries
        SourceRuleDescriptionAuthorStrings
        2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16fd2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2df03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x161d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: ORIGINAL INVOICE COAU7230734293.exeVirustotal: Detection: 47%Perma Link
            Source: ORIGINAL INVOICE COAU7230734293.exeReversingLabs: Detection: 57%
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
            Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
            Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 4x nop then jmp 06E7C994h0_2_06E7D04B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then mov ebx, 00000004h4_2_035C04DE
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: explorer.exe, 00000005.00000002.183147375227.0000000009450000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018627893.00000000029E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180024198807.000000000A030000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
            Source: explorer.exe, 00000005.00000000.180022424107.0000000008FBA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145776732.0000000008FBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmB
            Source: explorer.exe, 00000005.00000000.180026117504.000000000CBF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183150949902.000000000CBF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/(
            Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/P
            Source: explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?$
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=30839BE1E99742A69F7CECEEBE3BA9D0&timeOut=5000&oc
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 00000005.00000003.180692273783.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180022524216.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145919952.0000000009084000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comL
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
            Source: explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/greenup.svg
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/reddown.svg
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.svg
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/hot.svg
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W02_Most
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comrl
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1gKAgr.img
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l47N2.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBERG9W.img
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=22fac781-5ff2-4c5e-9dca-d6b3
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
            Source: explorer.exe, 00000005.00000000.180028656269.000000000D1F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D1F5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEM
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/lifestyle/truth-behind-5-unconventional-self-care-rituals-have-gone-viral-tiktok
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/stories
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comA3
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/best-road-trip-snacks/
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/food-news/net-worth-guy-fieri/
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/restaurants/g33388878/diners-drive-ins-and-dives-restaurant-rules/
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/happy-national-taco-day-here-are-the-best-deals-for-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accor
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-t
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/relationships/my-dad-was-gay-but-married-to-my-mom-for-64-years-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/iphone-16-first-look-while-we-wait-for-apple-intelligen
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/colorado-legally-requires-businesses-to-accept-cash-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michigan
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/americans-have-just-weeks-left-until-new-social-security-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/it-s-not-taxed-at-all-warren-buffett-shared-the-b
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/rich-young-americans-are-ditching-the-stormy-stoc
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/technology/new-tandem-solar-cells-break-efficiency-record-they-could
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/all-37-new-movies-dropping-on-netflix-today/ss-AA1rxnU9
            Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-you
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-hai
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/nvidia-hopes-lightning-will-strike-twice-as-it-aims-to-cor
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/spacex-set-to-launch-billionaire-s-private-crew-on-breakth
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-record-breaking-bass-has-been-caught-in-a-texas-lake/ss-AA1qf3tz
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/john-amos-patriarch-on-good-times-and-an-emmy-nominee-for-the-bloc
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aid
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barne
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-ol
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/can-t-miss-play-vintage-rodgers-jets-qb-gashes-49ers-for-36-y
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/global-entry-vs-tsa-precheck-which-prescreen-will-get-you-thro
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/reacher-spinoff-the-untitled-neagley-project-starring-maria-sten-s
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxvcmlkYS
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxv
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/tropical-storm-francine-spaghetti-models-show-3-states-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: initial sampleStatic PE information: Filename: ORIGINAL INVOICE COAU7230734293.exe
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0042BFF3 NtClose,2_2_0042BFF3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D34E0 NtCreateMutant,LdrInitializeThunk,2_2_016D34E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2BC0 NtQueryInformationToken,LdrInitializeThunk,2_2_016D2BC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B90 NtFreeVirtualMemory,LdrInitializeThunk,2_2_016D2B90
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2A80 NtClose,LdrInitializeThunk,2_2_016D2A80
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2D10 NtQuerySystemInformation,LdrInitializeThunk,2_2_016D2D10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2EB0 NtProtectVirtualMemory,LdrInitializeThunk,2_2_016D2EB0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D4260 NtSetContextThread,2_2_016D4260
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D4570 NtSuspendThread,2_2_016D4570
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D29F0 NtReadFile,2_2_016D29F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D29D0 NtWaitForSingleObject,2_2_016D29D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D38D0 NtGetContextThread,2_2_016D38D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B20 NtQueryInformationProcess,2_2_016D2B20
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B00 NtQueryValueKey,2_2_016D2B00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B10 NtAllocateVirtualMemory,2_2_016D2B10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2BE0 NtQueryVirtualMemory,2_2_016D2BE0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B80 NtCreateKey,2_2_016D2B80
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2A10 NtWriteFile,2_2_016D2A10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2AC0 NtEnumerateValueKey,2_2_016D2AC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2AA0 NtQueryInformationFile,2_2_016D2AA0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2D50 NtWriteVirtualMemory,2_2_016D2D50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2DC0 NtAdjustPrivilegesToken,2_2_016D2DC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2DA0 NtReadVirtualMemory,2_2_016D2DA0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C50 NtUnmapViewOfSection,2_2_016D2C50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C20 NtSetInformationFile,2_2_016D2C20
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C30 NtMapViewOfSection,2_2_016D2C30
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D3C30 NtOpenProcessToken,2_2_016D3C30
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C10 NtOpenProcess,2_2_016D2C10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2CF0 NtDelayExecution,2_2_016D2CF0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2CD0 NtEnumerateKey,2_2_016D2CD0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D3C90 NtOpenThread,2_2_016D3C90
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2F30 NtOpenDirectoryObject,2_2_016D2F30
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2F00 NtCreateFile,2_2_016D2F00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2FB0 NtSetValueKey,2_2_016D2FB0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2E50 NtCreateSection,2_2_016D2E50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2E00 NtQueueApcThread,2_2_016D2E00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2EC0 NtQuerySection,2_2_016D2EC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2ED0 NtResumeThread,2_2_016D2ED0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2E80 NtCreateProcessEx,2_2_016D2E80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E34E0 NtCreateMutant,LdrInitializeThunk,4_2_032E34E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B00 NtQueryValueKey,LdrInitializeThunk,4_2_032E2B00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B10 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_032E2B10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B80 NtCreateKey,LdrInitializeThunk,4_2_032E2B80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B90 NtFreeVirtualMemory,LdrInitializeThunk,4_2_032E2B90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2BC0 NtQueryInformationToken,LdrInitializeThunk,4_2_032E2BC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2A80 NtClose,LdrInitializeThunk,4_2_032E2A80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E29F0 NtReadFile,LdrInitializeThunk,4_2_032E29F0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2F00 NtCreateFile,LdrInitializeThunk,4_2_032E2F00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2E50 NtCreateSection,LdrInitializeThunk,4_2_032E2E50
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2D10 NtQuerySystemInformation,LdrInitializeThunk,4_2_032E2D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2C30 NtMapViewOfSection,LdrInitializeThunk,