Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORIGINAL INVOICE COAU7230734293.exe

Overview

General Information

Sample name:ORIGINAL INVOICE COAU7230734293.exe
Analysis ID:1523776
MD5:f6c2a4c4d05e7b76e17a5a7a191ddeb1
SHA1:0d93776c5acfa7bb9a2ed5bc3ca46e0a525fa6bd
SHA256:ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • ORIGINAL INVOICE COAU7230734293.exe (PID: 5096 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" MD5: F6C2A4C4D05E7B76E17A5A7A191DDEB1)
    • ORIGINAL INVOICE COAU7230734293.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe" MD5: F6C2A4C4D05E7B76E17A5A7A191DDEB1)
      • RAVCpl64.exe (PID: 7608 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • RpcPing.exe (PID: 5808 cmdline: "C:\Windows\SysWOW64\RpcPing.exe" MD5: F7DD5764D96A988F0CF9DD4813751473)
          • explorer.exe (PID: 5072 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16fd2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16fd2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2df03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x161d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: ORIGINAL INVOICE COAU7230734293.exeVirustotal: Detection: 47%Perma Link
            Source: ORIGINAL INVOICE COAU7230734293.exeReversingLabs: Detection: 57%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
            Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
            Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 4x nop then jmp 06E7C994h0_2_06E7D04B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4x nop then mov ebx, 00000004h4_2_035C04DE
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: explorer.exe, 00000005.00000002.183147375227.0000000009450000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018627893.00000000029E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180024198807.000000000A030000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
            Source: explorer.exe, 00000005.00000000.180022424107.0000000008FBA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145776732.0000000008FBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmB
            Source: explorer.exe, 00000005.00000000.180026117504.000000000CBF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183150949902.000000000CBF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/(
            Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/P
            Source: explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBAD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?$
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=30839BE1E99742A69F7CECEEBE3BA9D0&timeOut=5000&oc
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 00000005.00000003.180692273783.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180022524216.0000000009084000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183145919952.0000000009084000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comL
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/background/v2.0/jpg/
            Source: explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/crypto/icons/Cryptoc2112Image.png
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/greenup.svg
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/index/svg/light/reddown.svg
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.png
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlySunnyDay.svg
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Teaser/hot.svg
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v10/
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W02_Most
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvW-dark
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13pwi3-dark
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comrl
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1g7bhz.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1gKAgr.img
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l47N2.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1lLvot.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1nsFzx.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyxkRJ.img
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBERG9W.img
            Source: explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=22fac781-5ff2-4c5e-9dca-d6b3
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
            Source: explorer.exe, 00000005.00000000.180028656269.000000000D1F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183153717616.000000000D1F5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEM
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/lifestyle/truth-behind-5-unconventional-self-care-rituals-have-gone-viral-tiktok
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/stories
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000005.00000002.183153717616.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.180691575617.000000000D2A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180028656269.000000000D2A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comA3
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/best-road-trip-snacks/
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/food-news/net-worth-guy-fieri/
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/restaurants/g33388878/diners-drive-ins-and-dives-restaurant-rules/
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/other/24-used-sports-cars-that-are-notoriously-reliable-yet-crazy-ch
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/channel/source/AZ%20Animals%20US/sr-vid-7etr9q8xun6k6508c3nufaum0de3dqktiq
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/cookingschool/for-the-best-grilled-clams-avoid-this-fatal-mis
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/happy-national-taco-day-here-are-the-best-deals-for-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/the-5-carbs-you-should-be-eating-for-insulin-resistance-accor
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/vacuum-sealing-certain-foods-could-make-you-sick-here-are-7-t
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/relationships/my-dad-was-gay-but-married-to-my-mom-for-64-years-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/iphone-16-first-look-while-we-wait-for-apple-intelligen
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/colorado-legally-requires-businesses-to-accept-cash-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/tour-of-original-1949-frank-lloyd-wright-home-in-michigan
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/americans-have-just-weeks-left-until-new-social-security-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/retirement/middle-aged-americans-are-leaving-work-for-months-years-t
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/it-s-not-taxed-at-all-warren-buffett-shared-the-b
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/rich-young-americans-are-ditching-the-stormy-stoc
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/technology/new-tandem-solar-cells-break-efficiency-record-they-could
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/all-37-new-movies-dropping-on-netflix-today/ss-AA1rxnU9
            Source: explorer.exe, 00000005.00000002.183144984959.0000000008DDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180021816351.0000000008DDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-you
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/tyreek-hill-s-traffic-stop-shows-interactions-with-police-can-b
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/6-things-to-watch-for-when-kamala-harris-debates-donald-trum
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/jd-vance-spreads-outrageous-lie-about-hai
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/nvidia-hopes-lightning-will-strike-twice-as-it-aims-to-cor
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/spacex-set-to-launch-billionaire-s-private-crew-on-breakth
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-record-breaking-bass-has-been-caught-in-a-texas-lake/ss-AA1qf3tz
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/james-earl-jones-s-talents-went-far-far-beyond-his-magnificent-voi
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/john-amos-patriarch-on-good-times-and-an-emmy-nominee-for-the-bloc
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/sen-tuberville-blocks-promotion-of-lloyd-austin-s-top-military-aid
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/trump-repeats-false-claims-that-children-are-undergoing-transgende
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/gaza-authorities-say-deadly-blasts-hit-humanitarian-zone/ar-AA1
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/don-t-know-what-to-say-phil-jackson-on-pau-gasol-and-matt-barne
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/johnny-gaudreau-s-wife-reveals-in-eulogy-she-s-pregnant-expecti
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/the-really-challenging-ones-were-heavy-and-mechanical-hakeem-ol
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/can-t-miss-play-vintage-rodgers-jets-qb-gashes-49ers-for-36-y
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/global-entry-vs-tsa-precheck-which-prescreen-will-get-you-thro
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/scientists-finally-solve-mystery-behind-bermuda-triangle-disap
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/reacher-spinoff-the-untitled-neagley-project-starring-maria-sten-s
            Source: explorer.exe, 00000005.00000002.183144624425.0000000008D7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/news/the-bold-the-beautiful-young-and-the-restless-more-get-premiere-da
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxvcmlkYS
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Miami%2CFlorida?loc=eyJsIjoiTWlhbWkiLCJyIjoiRmxv
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/tropical-storm-francine-spaghetti-models-show-3-states-
            Source: explorer.exe, 00000005.00000000.180021627347.0000000008D88000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: ORIGINAL INVOICE COAU7230734293.exe
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0042BFF3 NtClose,2_2_0042BFF3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D34E0 NtCreateMutant,LdrInitializeThunk,2_2_016D34E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2BC0 NtQueryInformationToken,LdrInitializeThunk,2_2_016D2BC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B90 NtFreeVirtualMemory,LdrInitializeThunk,2_2_016D2B90
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2A80 NtClose,LdrInitializeThunk,2_2_016D2A80
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2D10 NtQuerySystemInformation,LdrInitializeThunk,2_2_016D2D10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2EB0 NtProtectVirtualMemory,LdrInitializeThunk,2_2_016D2EB0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D4260 NtSetContextThread,2_2_016D4260
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D4570 NtSuspendThread,2_2_016D4570
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D29F0 NtReadFile,2_2_016D29F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D29D0 NtWaitForSingleObject,2_2_016D29D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D38D0 NtGetContextThread,2_2_016D38D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B20 NtQueryInformationProcess,2_2_016D2B20
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B00 NtQueryValueKey,2_2_016D2B00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B10 NtAllocateVirtualMemory,2_2_016D2B10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2BE0 NtQueryVirtualMemory,2_2_016D2BE0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2B80 NtCreateKey,2_2_016D2B80
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2A10 NtWriteFile,2_2_016D2A10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2AC0 NtEnumerateValueKey,2_2_016D2AC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2AA0 NtQueryInformationFile,2_2_016D2AA0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2D50 NtWriteVirtualMemory,2_2_016D2D50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2DC0 NtAdjustPrivilegesToken,2_2_016D2DC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2DA0 NtReadVirtualMemory,2_2_016D2DA0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C50 NtUnmapViewOfSection,2_2_016D2C50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C20 NtSetInformationFile,2_2_016D2C20
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C30 NtMapViewOfSection,2_2_016D2C30
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D3C30 NtOpenProcessToken,2_2_016D3C30
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2C10 NtOpenProcess,2_2_016D2C10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2CF0 NtDelayExecution,2_2_016D2CF0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2CD0 NtEnumerateKey,2_2_016D2CD0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D3C90 NtOpenThread,2_2_016D3C90
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2F30 NtOpenDirectoryObject,2_2_016D2F30
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2F00 NtCreateFile,2_2_016D2F00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2FB0 NtSetValueKey,2_2_016D2FB0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2E50 NtCreateSection,2_2_016D2E50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2E00 NtQueueApcThread,2_2_016D2E00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2EC0 NtQuerySection,2_2_016D2EC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2ED0 NtResumeThread,2_2_016D2ED0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2E80 NtCreateProcessEx,2_2_016D2E80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E34E0 NtCreateMutant,LdrInitializeThunk,4_2_032E34E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B00 NtQueryValueKey,LdrInitializeThunk,4_2_032E2B00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B10 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_032E2B10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B80 NtCreateKey,LdrInitializeThunk,4_2_032E2B80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B90 NtFreeVirtualMemory,LdrInitializeThunk,4_2_032E2B90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2BC0 NtQueryInformationToken,LdrInitializeThunk,4_2_032E2BC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2A80 NtClose,LdrInitializeThunk,4_2_032E2A80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E29F0 NtReadFile,LdrInitializeThunk,4_2_032E29F0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2F00 NtCreateFile,LdrInitializeThunk,4_2_032E2F00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2E50 NtCreateSection,LdrInitializeThunk,4_2_032E2E50
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2D10 NtQuerySystemInformation,LdrInitializeThunk,4_2_032E2D10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2C30 NtMapViewOfSection,LdrInitializeThunk,4_2_032E2C30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2CF0 NtDelayExecution,LdrInitializeThunk,4_2_032E2CF0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E4260 NtSetContextThread,4_2_032E4260
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E4570 NtSuspendThread,4_2_032E4570
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2B20 NtQueryInformationProcess,4_2_032E2B20
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2BE0 NtQueryVirtualMemory,4_2_032E2BE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2A10 NtWriteFile,4_2_032E2A10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2AA0 NtQueryInformationFile,4_2_032E2AA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2AC0 NtEnumerateValueKey,4_2_032E2AC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E29D0 NtWaitForSingleObject,4_2_032E29D0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E38D0 NtGetContextThread,4_2_032E38D0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2F30 NtOpenDirectoryObject,4_2_032E2F30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2FB0 NtSetValueKey,4_2_032E2FB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2E00 NtQueueApcThread,4_2_032E2E00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2EB0 NtProtectVirtualMemory,4_2_032E2EB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2E80 NtCreateProcessEx,4_2_032E2E80
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2EC0 NtQuerySection,4_2_032E2EC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2ED0 NtResumeThread,4_2_032E2ED0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2D50 NtWriteVirtualMemory,4_2_032E2D50
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2DA0 NtReadVirtualMemory,4_2_032E2DA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2DC0 NtAdjustPrivilegesToken,4_2_032E2DC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2C20 NtSetInformationFile,4_2_032E2C20
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E3C30 NtOpenProcessToken,4_2_032E3C30
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2C10 NtOpenProcess,4_2_032E2C10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2C50 NtUnmapViewOfSection,4_2_032E2C50
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E3C90 NtOpenThread,4_2_032E3C90
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E2CD0 NtEnumerateKey,4_2_032E2CD0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CF018 NtQueryInformationProcess,4_2_035CF018
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D3908 NtSuspendThread,4_2_035D3908
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D49D5 NtUnmapViewOfSection,4_2_035D49D5
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D3F28 NtQueueApcThread,4_2_035D3F28
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D460C NtMapViewOfSection,4_2_035D460C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D35F8 NtSetContextThread,4_2_035D35F8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D3C18 NtResumeThread,4_2_035D3C18
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_02AEE1F40_2_02AEE1F4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_052C01C80_2_052C01C8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_052C01D80_2_052C01D8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E70D200_2_06E70D20
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E71AA80_2_06E71AA8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E758990_2_06E75899
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E7C8750_2_06E7C875
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E706130_2_06E70613
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E7A5C80_2_06E7A5C8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E7A5B80_2_06E7A5B8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E715680_2_06E71568
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E705680_2_06E70568
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E705590_2_06E70559
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E785580_2_06E78558
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E715580_2_06E71558
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E7C8750_2_06E7C875
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E700400_2_06E70040
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E700060_2_06E70006
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E78DC80_2_06E78DC8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E70D100_2_06E70D10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E71A980_2_06E71A98
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E7AA000_2_06E7AA00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E789900_2_06E78990
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004181632_2_00418163
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004030C02_2_004030C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040FA7A2_2_0040FA7A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040FA832_2_0040FA83
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004163402_2_00416340
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004163432_2_00416343
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004024E02_2_004024E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040FCA32_2_0040FCA3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040DD202_2_0040DD20
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040DD232_2_0040DD23
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0042E5F32_2_0042E5F3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040DE692_2_0040DE69
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016E717A2_2_016E717A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173D1302_2_0173D130
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176010E2_2_0176010E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F1132_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E02_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A51C02_2_016A51C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174E0762_2_0174E076
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017570F12_2_017570F1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AB0D02_2_016AB0D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016900A02_2_016900A0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D508C2_2_016D508C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175F3302_2_0175F330
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AE3102_2_016AE310
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016913802_2_01691380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175124C2_2_0175124C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168D2EC2_2_0168D2EC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176A5262_2_0176A526
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017575C62_2_017575C6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175F5C92_2_0175F5C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A04452_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A27602_2_016A2760
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AA7602_2_016AA760
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017567572_2_01756757
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C46702_2_016C4670
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174D6462_2_0174D646
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173D62C2_2_0173D62C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BC6002_2_016BC600
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175F6F62_2_0175F6F6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169C6E02_2_0169C6E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017136EC2_2_017136EC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175A6C02_2_0175A6C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A06802_2_016A0680
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016E59C02_2_016E59C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169E9A02_2_0169E9A0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175E9A62_2_0175E9A6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016868682_2_01686868
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175F8722_2_0175F872
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A98702_2_016A9870
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB8702_2_016BB870
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017408352_2_01740835
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A38002_2_016A3800
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE8102_2_016CE810
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017578F32_2_017578F3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A28C02_2_016A28C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017518DA2_2_017518DA
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017198B22_2_017198B2
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B68822_2_016B6882
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175FB2E2_2_0175FB2E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016DDB192_2_016DDB19
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0B102_2_016A0B10
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01714BC02_2_01714BC0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175EA5B2_2_0175EA5B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175CA132_2_0175CA13
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BFAA02_2_016BFAA0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175FA892_2_0175FA89
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0D692_2_016A0D69
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01757D4C2_2_01757D4C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175FD272_2_0175FD27
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169AD002_2_0169AD00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173FDF42_2_0173FDF4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A9DD02_2_016A9DD0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2DB02_2_016B2DB0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A3C602_2_016A3C60
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175EC602_2_0175EC60
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01756C692_2_01756C69
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174EC4C2_2_0174EC4C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01690C122_2_01690C12
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BFCE02_2_016BFCE0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176ACEB2_2_0176ACEB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B8CDF2_2_016B8CDF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01739C982_2_01739C98
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175FF632_2_0175FF63
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016ACF002_2_016ACF00
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A6FE02_2_016A6FE0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01751FC62_2_01751FC6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175EFBF2_2_0175EFBF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01740E6D2_2_01740E6D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016E2E482_2_016E2E48
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C0E502_2_016C0E50
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01692EE82_2_01692EE8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01759ED22_2_01759ED2
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A1EB22_2_016A1EB2
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01750EAD2_2_01750EAD
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336F3304_2_0336F330
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032BE3104_2_032BE310
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032A13804_2_032A1380
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336124C4_2_0336124C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0329D2EC4_2_0329D2EC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0334D1304_2_0334D130
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0337010E4_2_0337010E
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0329F1134_2_0329F113
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032F717A4_2_032F717A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032CB1E04_2_032CB1E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B51C04_2_032B51C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0335E0764_2_0335E076
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032A00A04_2_032A00A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032E508C4_2_032E508C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033670F14_2_033670F1
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032BB0D04_2_032BB0D0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B27604_2_032B2760
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032BA7604_2_032BA760
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033667574_2_03366757
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0334D62C4_2_0334D62C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032CC6004_2_032CC600
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032D46704_2_032D4670
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0335D6464_2_0335D646
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B06804_2_032B0680
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336F6F64_2_0336F6F6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032AC6E04_2_032AC6E0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033236EC4_2_033236EC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336A6C04_2_0336A6C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0337A5264_2_0337A526
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033675C64_2_033675C6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336F5C94_2_0336F5C9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B04454_2_032B0445
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0331D4804_2_0331D480
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336FB2E4_2_0336FB2E
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032EDB194_2_032EDB19
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B0B104_2_032B0B10
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03324BC04_2_03324BC0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336CA134_2_0336CA13
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336EA5B4_2_0336EA5B
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032CFAA04_2_032CFAA0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336FA894_2_0336FA89
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032AE9A04_2_032AE9A0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336E9A64_2_0336E9A6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032F59C04_2_032F59C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033508354_2_03350835
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B38004_2_032B3800
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032DE8104_2_032DE810
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032968684_2_03296868
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033258704_2_03325870
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336F8724_2_0336F872
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B98704_2_032B9870
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032CB8704_2_032CB870
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033298B24_2_033298B2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032C68824_2_032C6882
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033678F34_2_033678F3
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B28C04_2_032B28C0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_033618DA4_2_033618DA
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032BCF004_2_032BCF00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336FF634_2_0336FF63
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336EFBF4_2_0336EFBF
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B6FE04_2_032B6FE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03361FC64_2_03361FC6
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03350E6D4_2_03350E6D
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032F2E484_2_032F2E48
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032D0E504_2_032D0E50
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B1EB24_2_032B1EB2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03360EAD4_2_03360EAD
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032A2EE84_2_032A2EE8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03369ED24_2_03369ED2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336FD274_2_0336FD27
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032AAD004_2_032AAD00
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B0D694_2_032B0D69
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03367D4C4_2_03367D4C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032C2DB04_2_032C2DB0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0334FDF44_2_0334FDF4
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B9DD04_2_032B9DD0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032A0C124_2_032A0C12
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032B3C604_2_032B3C60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0336EC604_2_0336EC60
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03366C694_2_03366C69
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0335EC4C4_2_0335EC4C
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03349C984_2_03349C98
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032CFCE04_2_032CFCE0
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_03337CE84_2_03337CE8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_0337ACEB4_2_0337ACEB
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_032C8CDF4_2_032C8CDF
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CF0184_2_035CF018
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C038E4_2_035C038E
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CCAE84_2_035CCAE8
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CCA8A4_2_035CCA8A
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CD8584_2_035CD858
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CE7EC4_2_035CE7EC
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D552D4_2_035D552D
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CE4564_2_035CE456
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D54BD4_2_035D54BD
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 0329B910 appears 268 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 032F7BE4 appears 96 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 032E5050 appears 36 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 0332EF10 appears 105 times
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: String function: 0331E692 appears 82 times
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: String function: 016E7BE4 appears 88 times
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: String function: 0168B910 appears 266 times
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: String function: 0171EF10 appears 105 times
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: String function: 016D5050 appears 36 times
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: String function: 0170E692 appears 79 times
            Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000000.178053213809.000000000079E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQmBB.exe@ vs ORIGINAL INVOICE COAU7230734293.exe
            Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000002.178186045219.00000000071F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs ORIGINAL INVOICE COAU7230734293.exe
            Source: ORIGINAL INVOICE COAU7230734293.exe, 00000000.00000002.178179990818.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORIGINAL INVOICE COAU7230734293.exe
            Source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.000000000178D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORIGINAL INVOICE COAU7230734293.exe
            Source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs ORIGINAL INVOICE COAU7230734293.exe
            Source: ORIGINAL INVOICE COAU7230734293.exeBinary or memory string: OriginalFilenameQmBB.exe@ vs ORIGINAL INVOICE COAU7230734293.exe
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, blowsbhRT5ImjFslmA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, blowsbhRT5ImjFslmA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, blowsbhRT5ImjFslmA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@0/0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORIGINAL INVOICE COAU7230734293.exe.logJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMutant created: NULL
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: ORIGINAL INVOICE COAU7230734293.exeVirustotal: Detection: 47%
            Source: ORIGINAL INVOICE COAU7230734293.exeReversingLabs: Detection: 57%
            Source: unknownProcess created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: QmBB.pdbSHA256H source: ORIGINAL INVOICE COAU7230734293.exe
            Source: Binary string: QmBB.pdb source: ORIGINAL INVOICE COAU7230734293.exe
            Source: Binary string: wntdll.pdbUGP source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdbGCTL source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ORIGINAL INVOICE COAU7230734293.exe, ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178540116469.0000000001660000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, RpcPing.exe, 00000004.00000003.178545237233.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.000000000339D000.00000040.00001000.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000003.178548545707.00000000030C4000.00000004.00000020.00020000.00000000.sdmp, RpcPing.exe, 00000004.00000002.180095164154.0000000003270000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: RPCPing.pdb source: ORIGINAL INVOICE COAU7230734293.exe, 00000002.00000002.178539692595.0000000001217000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.cs.Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.3d41ea0.3.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.7820000.5.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.cs.Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.cs.Net Code: vTQC5VobJS System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.3d29c80.1.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: 0xE3D84D29 [Sun Feb 18 02:19:21 2091 UTC]
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 0_2_06E7EBC2 push esp; iretd 0_2_06E7EBC5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0040D0CA push edi; ret 2_2_0040D0CC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00416166 pushfd ; iretd 2_2_004161E5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00417984 push esp; iretd 2_2_0041798A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00413B46 push eax; iretd 2_2_00413B71
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00413B62 push eax; iretd 2_2_00413B71
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00408307 push ds; iretd 2_2_00408309
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00403330 push eax; ret 2_2_00403332
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00415C40 push ebx; ret 2_2_00415C6A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00415C43 push ebx; ret 2_2_00415C6A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00404D23 push esi; retf 2_2_00404D24
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_00417FD0 push esp; ret 2_2_00417FD1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004187E8 push ebx; ret 2_2_004187E9
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D0B3B push 43BCF294h; retf 4_2_035D0B63
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CD3C1 push ebx; retf 4_2_035CD3C2
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CD2D5 push cs; iretd 4_2_035CD301
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C5173 pushad ; iretd 4_2_035C5174
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035D51D2 push eax; ret 4_2_035D51D4
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035CB858 push ds; retf 4_2_035CB859
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C5F4E push esi; iretd 4_2_035C5F56
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C47AF push ebx; iretd 4_2_035C47DB
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C462F pushfd ; ret 4_2_035C4644
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C5ECC push cs; iretd 4_2_035C5ED4
            Source: C:\Windows\SysWOW64\RpcPing.exeCode function: 4_2_035C1C73 push eax; iretd 4_2_035C1C74
            Source: ORIGINAL INVOICE COAU7230734293.exeStatic PE information: section name: .text entropy: 7.704474646443921
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, EnU8sfvnNd79P1XCuf.csHigh entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, dErwtbOIhEFqxGQZhN.csHigh entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ogP5rAPiEpGPhloLbo.csHigh entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, yrkxLgKYAZoa4ATwX6.csHigh entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, uEeXtO4XNIBXYK2Tdev.csHigh entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, DY27sNeyg9vpC1Hsyn.csHigh entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, AVanS4HBACcXACtDee.csHigh entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, oPNdg4YLFfdoTTjD1o.csHigh entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, AyBX1DUcYNqriZ0gmj.csHigh entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ywUuoN44toNNkd5Kl6f.csHigh entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, jPc8BJrc4FJrw1nAjc.csHigh entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, blowsbhRT5ImjFslmA.csHigh entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, ObalxXB7HwlS4vhIgV.csHigh entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, YiP9PcVaeG93TFN1IG.csHigh entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, bJt9RoCliq8g9gi4p3.csHigh entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, cRres3FcRBOksLVL86.csHigh entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, TqMivSL7iPXNkQJhTi.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, nwYo7b4fqoaIyCCKAJW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, IGirpG1rKZUaYUMgKV.csHigh entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, MqRjCA8mihMgPt3QRs.csHigh entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, MZ930sz4QtWqvlUF7w.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, M9ym5dgBm7XDAGotB1.csHigh entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.4817070.2.raw.unpack, UnGqAipGRiiehMnM4m.csHigh entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, EnU8sfvnNd79P1XCuf.csHigh entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, dErwtbOIhEFqxGQZhN.csHigh entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ogP5rAPiEpGPhloLbo.csHigh entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, yrkxLgKYAZoa4ATwX6.csHigh entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, uEeXtO4XNIBXYK2Tdev.csHigh entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, DY27sNeyg9vpC1Hsyn.csHigh entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, AVanS4HBACcXACtDee.csHigh entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, oPNdg4YLFfdoTTjD1o.csHigh entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, AyBX1DUcYNqriZ0gmj.csHigh entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ywUuoN44toNNkd5Kl6f.csHigh entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, jPc8BJrc4FJrw1nAjc.csHigh entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, blowsbhRT5ImjFslmA.csHigh entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, ObalxXB7HwlS4vhIgV.csHigh entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, YiP9PcVaeG93TFN1IG.csHigh entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, bJt9RoCliq8g9gi4p3.csHigh entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, cRres3FcRBOksLVL86.csHigh entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, TqMivSL7iPXNkQJhTi.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, nwYo7b4fqoaIyCCKAJW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, IGirpG1rKZUaYUMgKV.csHigh entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, MqRjCA8mihMgPt3QRs.csHigh entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, MZ930sz4QtWqvlUF7w.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, M9ym5dgBm7XDAGotB1.csHigh entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.478f650.0.raw.unpack, UnGqAipGRiiehMnM4m.csHigh entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, EnU8sfvnNd79P1XCuf.csHigh entropy of concatenated method names: 'SCZi8P0kTQ', 'noRiM4OHWJ', 'yJMiZr2kmc', 'QSOiy5Hh7c', 'aFsirU872b', 'skyilSX0Oq', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, dErwtbOIhEFqxGQZhN.csHigh entropy of concatenated method names: 'A347hsA3rE', 'X6a7gVM7tq', 'YoA78yLQyU', 'BXc7Mo7t7O', 'QKn7ydgNsT', 'GYb7lKvNAw', 'NVs7FlXh2D', 'LJE7kJgUr2', 'p1D7xplBd7', 'wt77T49DkY'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ogP5rAPiEpGPhloLbo.csHigh entropy of concatenated method names: 'cK8fm3Skow', 'hb0f6CdRJl', 'naNfYabMvK', 'WNdfLcLXYa', 'WLvfsQVTIe', 'rTefaOA4SG', 'fZJfbDDgG2', 'XMGfPMjwMv', 'S69fDDN2v6', 'KGDfoM1O5O'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, yrkxLgKYAZoa4ATwX6.csHigh entropy of concatenated method names: 'Qm1523Gaj', 'JYvAXMPAr', 'snVSEDGfZ', 'uYrIQTBNd', 'AbsgWtdfB', 'KdEe1f5Rj', 'RQcbGPiyXOuydtNSAj', 'CYnDgxmceVowbfMm0B', 'fudiPaYS0', 'ltwdGeBkv'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, uEeXtO4XNIBXYK2Tdev.csHigh entropy of concatenated method names: 'sbQ3jwwiXF', 'pC93cXvtga', 'fv235yYWKg', 'Kna3AESuxw', 'KMY3NVfa6o', 'pw03SB8OT7', 'VTk3IhHgbK', 'kxw3hdlD7R', 'WcI3gFMTG9', 'p5q3eTiMjc'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, DY27sNeyg9vpC1Hsyn.csHigh entropy of concatenated method names: 'APqsN6otQ6', 'd4VsIvkRZf', 'Fy0LZenhhZ', 'PigLyDrH1J', 'SCdLlQdY1Z', 'YQELEtBobk', 'cF1LF4C1g1', 'CnvLkEVUfJ', 'eigLVZe3NP', 'NoiLxwuiCW'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, AVanS4HBACcXACtDee.csHigh entropy of concatenated method names: 'rdQ34nVBlm', 'cTT3fNfaob', 'w2b3CeAe6D', 'UIv36BxfCD', 'Pj23YLchXr', 'Jry3sH6Ilu', 'Uf33aJurVB', 'EEWiQ9n9VE', 'pK5iBtTdBY', 'u4sivgT7HF'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, oPNdg4YLFfdoTTjD1o.csHigh entropy of concatenated method names: 'Dispose', 'GOh4vmyuAn', 'LckKMsrEB9', 'QZmnnJ44qW', 'sTb4HalxX7', 'Ywl4zS4vhI', 'ProcessDialogKey', 'EVgKXnU8sf', 'PNdK479P1X', 'dufKKNVanS'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, AyBX1DUcYNqriZ0gmj.csHigh entropy of concatenated method names: 'TN2woJhELU', 'PbCwqHwkW2', 'ToString', 'NXxw6t2Kg3', 'VAkwYp5psx', 'mCVwLSBZGG', 'kcQwsyIdHF', 'wwxwahcEds', 'ES1wbeAJbY', 'J9wwP181E3'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ywUuoN44toNNkd5Kl6f.csHigh entropy of concatenated method names: 'ToString', 'q2edf84rxC', 'zP3dC8CgOp', 'AmgdmX4hQ5', 'lxqd6NAYJ3', 'Ts0dYZyuSM', 'Cf3dL4BGsH', 'ha0dsApkUt', 'RQAhQ3gmeGkJVnAbAj6', 'MxcN7MgWuJqEB8Hca6c'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, jPc8BJrc4FJrw1nAjc.csHigh entropy of concatenated method names: 'flD9xK4U0O', 'R1Z9nhfXiU', 'eYJ9rbGihm', 'XUe9WsKLb6', 'm9O9MIr4KU', 'O8Z9Z0llpu', 'o2o9yGIeuX', 'l859lZkKjR', 'mLm9EGtIfT', 'KNh9FlZ3Ig'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, blowsbhRT5ImjFslmA.csHigh entropy of concatenated method names: 'J4FYrpMQWs', 'zsjYWF0ELM', 'mVsY1XbjjS', 'ePNYUU1Mau', 'e5gYtdIUKD', 'zpvYpKNY92', 'mJiYQCWuBr', 'mL0YB4juus', 'nxTYvtaFG0', 'G0mYHlo7gc'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, ObalxXB7HwlS4vhIgV.csHigh entropy of concatenated method names: 'Mgti6JojCh', 'NTDiYrZXhu', 'xP6iL9KV3U', 'TvpisGTUcg', 'teSiavSvUO', 'owjibGDomk', 'uhZiPjCb8y', 'XOwiDIob9I', 'sTQioVAAhT', 'mVyiqFIft4'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, YiP9PcVaeG93TFN1IG.csHigh entropy of concatenated method names: 'oTVbjMg7kB', 'qfobcH53Hf', 'GcTb5Tdw7t', 'u0nbAijMBB', 'quKbNlvmkm', 'bIEbSSYnFc', 'B72bI3bRl2', 'sZhbhUndtN', 'WGwbgE6aEM', 'vqqbeUcP14'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, bJt9RoCliq8g9gi4p3.csHigh entropy of concatenated method names: 'd944blowsb', 'wT54PImjFs', 'tBm4o7XDAG', 'ltB4q1hY27', 'SHs49ynkqR', 'yCA4JmihMg', 'cIoTDuK1MQaG5QVsWf', 'XPZlSyn9YkSbyC747s', 'EvT44aXYCG', 'fxj4fXfYyb'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, cRres3FcRBOksLVL86.csHigh entropy of concatenated method names: 'pGXb6bJqWn', 'PgCbLy4UUM', 'RBMba6M9VS', 'bpqaHSMvQU', 'uJYazdsQ3h', 'cNGbXHO8HZ', 'Qqnb4U8nY3', 'xTwbK3MdIC', 'juAbfG5klu', 'FIybCFm8Ys'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, TqMivSL7iPXNkQJhTi.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RgrKvebWlJ', 'm6nKHAtHW9', 'a9TKzaeZya', 'QFwfXZytql', 'lebf4QGWjs', 'ufofK1Fhtg', 'IAIffiEJwc', 'yxfXX7UR6S041Vlf5Cg'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, nwYo7b4fqoaIyCCKAJW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gBMdroKXG2', 'HModWKBFT0', 'V5Ed1oL7Oj', 'b8idUibEPy', 'lp9dt1fw8K', 'oePdp58fpn', 'x1GdQjyRJJ'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, IGirpG1rKZUaYUMgKV.csHigh entropy of concatenated method names: 'ToString', 'O07JTJ3MVw', 'SyPJMGcXN3', 'WTVJZvCk3L', 'UQeJy7PTOB', 'tS3JledhnR', 'zwGJEsufmn', 'rJ0JFnJUHM', 'mEcJkJDQpn', 'v60JVHoIM5'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, MqRjCA8mihMgPt3QRs.csHigh entropy of concatenated method names: 'CGRamqMvIZ', 'kYZaY5VHoN', 'sH3asiPFIo', 'eQSabodWKq', 'THhaPMSlsU', 'gNZstQj4Tu', 'rGyspbFFAu', 'ibssQT6TVR', 'JdhsBGDqKx', 'XB0svvD4ad'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, MZ930sz4QtWqvlUF7w.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTu372wWwb', 'Ilr39swOvk', 'g7x3JwrtJc', 'UrB3wiKGQf', 'Rde3i9aDmX', 'XWW33xE82r', 'PiD3df33Xh'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, M9ym5dgBm7XDAGotB1.csHigh entropy of concatenated method names: 'niILAYTxYh', 'x0TLSc5Mhv', 'mnTLh6u0cj', 'TaKLgAL2vA', 'cu5L9Ex3wI', 'cxDLJWT0Ze', 'xydLwfUrpL', 'Jv0LijIFDq', 'RK6L33ndhL', 'LplLdZNb1x'
            Source: 0.2.ORIGINAL INVOICE COAU7230734293.exe.71f0000.4.raw.unpack, UnGqAipGRiiehMnM4m.csHigh entropy of concatenated method names: 'FgywBGWQyy', 'xr0wHDPfJK', 'GfMiXsYcog', 'I5Oi4PqdND', 'EFywT4rxYv', 'N14wnLFbgy', 'SurwOMkMZo', 'mKUwrJ4SuG', 'gp3wWIhdm2', 'JR4w11atG1'
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: ORIGINAL INVOICE COAU7230734293.exe PID: 5096, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI/Special instruction interceptor: Address: 7FF90770D144
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI/Special instruction interceptor: Address: 7FF907710594
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI/Special instruction interceptor: Address: 7FF90770FF74
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI/Special instruction interceptor: Address: 7FF90770D6C4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI/Special instruction interceptor: Address: 7FF90770D864
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI/Special instruction interceptor: Address: 7FF90770D004
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D144
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF907710594
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D764
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D324
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D364
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D004
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770FF74
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D6C4
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI/Special instruction interceptor: Address: 7FF90770D864
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 7980000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 8B30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 9B30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: 9E80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: AE80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: BE80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 rdtsc 2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeWindow / User API: threadDelayed 9852Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 894Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 865Jump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeAPI coverage: 1.0 %
            Source: C:\Windows\SysWOW64\RpcPing.exeAPI coverage: 1.1 %
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe TID: 5716Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552Thread sleep count: 122 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552Thread sleep time: -244000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552Thread sleep count: 9852 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exe TID: 2552Thread sleep time: -19704000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RpcPing.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: explorer.exe, 00000005.00000002.183150949902.000000000CBBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180026117504.000000000CBBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%; >
            Source: RpcPing.exe, 00000004.00000002.180094426559.0000000002CA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2(
            Source: explorer.exe, 00000005.00000002.183151981871.000000000D0DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000D0DE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 00000005.00000002.183151981871.000000000CDBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180027171198.000000000CDBE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd32.exe
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 rdtsc 2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_004172F3 LdrLoadDll,2_2_004172F3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C716D mov eax, dword ptr fs:[00000030h]2_2_016C716D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01696179 mov eax, dword ptr fs:[00000030h]2_2_01696179
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016E717A mov eax, dword ptr fs:[00000030h]2_2_016E717A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016E717A mov eax, dword ptr fs:[00000030h]2_2_016E717A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01763157 mov eax, dword ptr fs:[00000030h]2_2_01763157
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01763157 mov eax, dword ptr fs:[00000030h]2_2_01763157
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01763157 mov eax, dword ptr fs:[00000030h]2_2_01763157
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168A147 mov eax, dword ptr fs:[00000030h]2_2_0168A147
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168A147 mov eax, dword ptr fs:[00000030h]2_2_0168A147
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168A147 mov eax, dword ptr fs:[00000030h]2_2_0168A147
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C415F mov eax, dword ptr fs:[00000030h]2_2_016C415F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172314A mov eax, dword ptr fs:[00000030h]2_2_0172314A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172314A mov eax, dword ptr fs:[00000030h]2_2_0172314A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172314A mov eax, dword ptr fs:[00000030h]2_2_0172314A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172314A mov eax, dword ptr fs:[00000030h]2_2_0172314A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01765149 mov eax, dword ptr fs:[00000030h]2_2_01765149
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171A130 mov eax, dword ptr fs:[00000030h]2_2_0171A130
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C7128 mov eax, dword ptr fs:[00000030h]2_2_016C7128
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C7128 mov eax, dword ptr fs:[00000030h]2_2_016C7128
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F13E mov eax, dword ptr fs:[00000030h]2_2_0174F13E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B510F mov eax, dword ptr fs:[00000030h]2_2_016B510F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169510D mov eax, dword ptr fs:[00000030h]2_2_0169510D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C0118 mov eax, dword ptr fs:[00000030h]2_2_016C0118
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F113 mov eax, dword ptr fs:[00000030h]2_2_0168F113
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016881EB mov eax, dword ptr fs:[00000030h]2_2_016881EB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h]2_2_0169A1E3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h]2_2_0169A1E3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h]2_2_0169A1E3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h]2_2_0169A1E3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A1E3 mov eax, dword ptr fs:[00000030h]2_2_0169A1E3
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BB1E0 mov eax, dword ptr fs:[00000030h]2_2_016BB1E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016991E5 mov eax, dword ptr fs:[00000030h]2_2_016991E5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016991E5 mov eax, dword ptr fs:[00000030h]2_2_016991E5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016891F0 mov eax, dword ptr fs:[00000030h]2_2_016891F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016891F0 mov eax, dword ptr fs:[00000030h]2_2_016891F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017581EE mov eax, dword ptr fs:[00000030h]2_2_017581EE
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017581EE mov eax, dword ptr fs:[00000030h]2_2_017581EE
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A01F1 mov eax, dword ptr fs:[00000030h]2_2_016A01F1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A01F1 mov eax, dword ptr fs:[00000030h]2_2_016A01F1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A01F1 mov eax, dword ptr fs:[00000030h]2_2_016A01F1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF1F0 mov eax, dword ptr fs:[00000030h]2_2_016BF1F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF1F0 mov eax, dword ptr fs:[00000030h]2_2_016BF1F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A01C0 mov eax, dword ptr fs:[00000030h]2_2_016A01C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A01C0 mov eax, dword ptr fs:[00000030h]2_2_016A01C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h]2_2_016A51C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h]2_2_016A51C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h]2_2_016A51C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A51C0 mov eax, dword ptr fs:[00000030h]2_2_016A51C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017651B6 mov eax, dword ptr fs:[00000030h]2_2_017651B6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE1A4 mov eax, dword ptr fs:[00000030h]2_2_016CE1A4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE1A4 mov eax, dword ptr fs:[00000030h]2_2_016CE1A4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C31BE mov eax, dword ptr fs:[00000030h]2_2_016C31BE
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C31BE mov eax, dword ptr fs:[00000030h]2_2_016C31BE
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C41BB mov ecx, dword ptr fs:[00000030h]2_2_016C41BB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C41BB mov eax, dword ptr fs:[00000030h]2_2_016C41BB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C41BB mov eax, dword ptr fs:[00000030h]2_2_016C41BB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01694180 mov eax, dword ptr fs:[00000030h]2_2_01694180
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01694180 mov eax, dword ptr fs:[00000030h]2_2_01694180
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01694180 mov eax, dword ptr fs:[00000030h]2_2_01694180
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1190 mov eax, dword ptr fs:[00000030h]2_2_016D1190
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1190 mov eax, dword ptr fs:[00000030h]2_2_016D1190
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B9194 mov eax, dword ptr fs:[00000030h]2_2_016B9194
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01739060 mov eax, dword ptr fs:[00000030h]2_2_01739060
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01697072 mov eax, dword ptr fs:[00000030h]2_2_01697072
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01696074 mov eax, dword ptr fs:[00000030h]2_2_01696074
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01696074 mov eax, dword ptr fs:[00000030h]2_2_01696074
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C0044 mov eax, dword ptr fs:[00000030h]2_2_016C0044
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176505B mov eax, dword ptr fs:[00000030h]2_2_0176505B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691051 mov eax, dword ptr fs:[00000030h]2_2_01691051
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691051 mov eax, dword ptr fs:[00000030h]2_2_01691051
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168D02D mov eax, dword ptr fs:[00000030h]2_2_0168D02D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01698009 mov eax, dword ptr fs:[00000030h]2_2_01698009
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B5004 mov eax, dword ptr fs:[00000030h]2_2_016B5004
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B5004 mov ecx, dword ptr fs:[00000030h]2_2_016B5004
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2010 mov ecx, dword ptr fs:[00000030h]2_2_016D2010
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h]2_2_016890F8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h]2_2_016890F8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h]2_2_016890F8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016890F8 mov eax, dword ptr fs:[00000030h]2_2_016890F8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CD0F0 mov eax, dword ptr fs:[00000030h]2_2_016CD0F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CD0F0 mov ecx, dword ptr fs:[00000030h]2_2_016CD0F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168C0F6 mov eax, dword ptr fs:[00000030h]2_2_0168C0F6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AB0D0 mov eax, dword ptr fs:[00000030h]2_2_016AB0D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h]2_2_0168B0D6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h]2_2_0168B0D6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h]2_2_0168B0D6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B0D6 mov eax, dword ptr fs:[00000030h]2_2_0168B0D6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017650B7 mov eax, dword ptr fs:[00000030h]2_2_017650B7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D00A5 mov eax, dword ptr fs:[00000030h]2_2_016D00A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F0A5 mov eax, dword ptr fs:[00000030h]2_2_0173F0A5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174B0AF mov eax, dword ptr fs:[00000030h]2_2_0174B0AF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01764080 mov eax, dword ptr fs:[00000030h]2_2_01764080
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168C090 mov eax, dword ptr fs:[00000030h]2_2_0168C090
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168A093 mov ecx, dword ptr fs:[00000030h]2_2_0168A093
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01710371 mov eax, dword ptr fs:[00000030h]2_2_01710371
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01710371 mov eax, dword ptr fs:[00000030h]2_2_01710371
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h]2_2_0170E372
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h]2_2_0170E372
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h]2_2_0170E372
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E372 mov eax, dword ptr fs:[00000030h]2_2_0170E372
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h]2_2_0169B360
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h]2_2_0169B360
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h]2_2_0169B360
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h]2_2_0169B360
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h]2_2_0169B360
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B360 mov eax, dword ptr fs:[00000030h]2_2_0169B360
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE363 mov eax, dword ptr fs:[00000030h]2_2_016CE363
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B237A mov eax, dword ptr fs:[00000030h]2_2_016B237A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01688347 mov eax, dword ptr fs:[00000030h]2_2_01688347
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01688347 mov eax, dword ptr fs:[00000030h]2_2_01688347
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01688347 mov eax, dword ptr fs:[00000030h]2_2_01688347
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA350 mov eax, dword ptr fs:[00000030h]2_2_016CA350
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168E328 mov eax, dword ptr fs:[00000030h]2_2_0168E328
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168E328 mov eax, dword ptr fs:[00000030h]2_2_0168E328
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168E328 mov eax, dword ptr fs:[00000030h]2_2_0168E328
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01763336 mov eax, dword ptr fs:[00000030h]2_2_01763336
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B332D mov eax, dword ptr fs:[00000030h]2_2_016B332D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C8322 mov eax, dword ptr fs:[00000030h]2_2_016C8322
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C8322 mov eax, dword ptr fs:[00000030h]2_2_016C8322
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C8322 mov eax, dword ptr fs:[00000030h]2_2_016C8322
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01689303 mov eax, dword ptr fs:[00000030h]2_2_01689303
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01689303 mov eax, dword ptr fs:[00000030h]2_2_01689303
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C631F mov eax, dword ptr fs:[00000030h]2_2_016C631F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AE310 mov eax, dword ptr fs:[00000030h]2_2_016AE310
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AE310 mov eax, dword ptr fs:[00000030h]2_2_016AE310
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AE310 mov eax, dword ptr fs:[00000030h]2_2_016AE310
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171330C mov eax, dword ptr fs:[00000030h]2_2_0171330C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171330C mov eax, dword ptr fs:[00000030h]2_2_0171330C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171330C mov eax, dword ptr fs:[00000030h]2_2_0171330C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171330C mov eax, dword ptr fs:[00000030h]2_2_0171330C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F30A mov eax, dword ptr fs:[00000030h]2_2_0174F30A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016963CB mov eax, dword ptr fs:[00000030h]2_2_016963CB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017143D5 mov eax, dword ptr fs:[00000030h]2_2_017143D5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168E3C0 mov eax, dword ptr fs:[00000030h]2_2_0168E3C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168E3C0 mov eax, dword ptr fs:[00000030h]2_2_0168E3C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168E3C0 mov eax, dword ptr fs:[00000030h]2_2_0168E3C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168C3C7 mov eax, dword ptr fs:[00000030h]2_2_0168C3C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C33D0 mov eax, dword ptr fs:[00000030h]2_2_016C33D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C43D0 mov ecx, dword ptr fs:[00000030h]2_2_016C43D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170C3B0 mov eax, dword ptr fs:[00000030h]2_2_0170C3B0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016993A6 mov eax, dword ptr fs:[00000030h]2_2_016993A6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016993A6 mov eax, dword ptr fs:[00000030h]2_2_016993A6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691380 mov eax, dword ptr fs:[00000030h]2_2_01691380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691380 mov eax, dword ptr fs:[00000030h]2_2_01691380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691380 mov eax, dword ptr fs:[00000030h]2_2_01691380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691380 mov eax, dword ptr fs:[00000030h]2_2_01691380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01691380 mov eax, dword ptr fs:[00000030h]2_2_01691380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h]2_2_016AF380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h]2_2_016AF380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h]2_2_016AF380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h]2_2_016AF380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h]2_2_016AF380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AF380 mov eax, dword ptr fs:[00000030h]2_2_016AF380
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BA390 mov eax, dword ptr fs:[00000030h]2_2_016BA390
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BA390 mov eax, dword ptr fs:[00000030h]2_2_016BA390
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BA390 mov eax, dword ptr fs:[00000030h]2_2_016BA390
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F38A mov eax, dword ptr fs:[00000030h]2_2_0174F38A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174D270 mov eax, dword ptr fs:[00000030h]2_2_0174D270
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172327E mov eax, dword ptr fs:[00000030h]2_2_0172327E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172327E mov eax, dword ptr fs:[00000030h]2_2_0172327E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172327E mov eax, dword ptr fs:[00000030h]2_2_0172327E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172327E mov eax, dword ptr fs:[00000030h]2_2_0172327E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172327E mov eax, dword ptr fs:[00000030h]2_2_0172327E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0172327E mov eax, dword ptr fs:[00000030h]2_2_0172327E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B273 mov eax, dword ptr fs:[00000030h]2_2_0168B273
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B273 mov eax, dword ptr fs:[00000030h]2_2_0168B273
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B273 mov eax, dword ptr fs:[00000030h]2_2_0168B273
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF24A mov eax, dword ptr fs:[00000030h]2_2_016BF24A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F247 mov eax, dword ptr fs:[00000030h]2_2_0174F247
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175124C mov eax, dword ptr fs:[00000030h]2_2_0175124C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175124C mov eax, dword ptr fs:[00000030h]2_2_0175124C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175124C mov eax, dword ptr fs:[00000030h]2_2_0175124C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175124C mov eax, dword ptr fs:[00000030h]2_2_0175124C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA22B mov eax, dword ptr fs:[00000030h]2_2_016CA22B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA22B mov eax, dword ptr fs:[00000030h]2_2_016CA22B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA22B mov eax, dword ptr fs:[00000030h]2_2_016CA22B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01710227 mov eax, dword ptr fs:[00000030h]2_2_01710227
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01710227 mov eax, dword ptr fs:[00000030h]2_2_01710227
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01710227 mov eax, dword ptr fs:[00000030h]2_2_01710227
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B0230 mov ecx, dword ptr fs:[00000030h]2_2_016B0230
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171B214 mov eax, dword ptr fs:[00000030h]2_2_0171B214
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171B214 mov eax, dword ptr fs:[00000030h]2_2_0171B214
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168A200 mov eax, dword ptr fs:[00000030h]2_2_0168A200
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168821B mov eax, dword ptr fs:[00000030h]2_2_0168821B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168D2EC mov eax, dword ptr fs:[00000030h]2_2_0168D2EC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168D2EC mov eax, dword ptr fs:[00000030h]2_2_0168D2EC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016872E0 mov eax, dword ptr fs:[00000030h]2_2_016872E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h]2_2_0169A2E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h]2_2_0169A2E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h]2_2_0169A2E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h]2_2_0169A2E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h]2_2_0169A2E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169A2E0 mov eax, dword ptr fs:[00000030h]2_2_0169A2E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h]2_2_016982E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h]2_2_016982E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h]2_2_016982E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016982E0 mov eax, dword ptr fs:[00000030h]2_2_016982E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A02F9 mov eax, dword ptr fs:[00000030h]2_2_016A02F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C32C0 mov eax, dword ptr fs:[00000030h]2_2_016C32C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C32C0 mov eax, dword ptr fs:[00000030h]2_2_016C32C0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B32C5 mov eax, dword ptr fs:[00000030h]2_2_016B32C5
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017632C9 mov eax, dword ptr fs:[00000030h]2_2_017632C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B42AF mov eax, dword ptr fs:[00000030h]2_2_016B42AF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B42AF mov eax, dword ptr fs:[00000030h]2_2_016B42AF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016892AF mov eax, dword ptr fs:[00000030h]2_2_016892AF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h]2_2_0176B2BC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h]2_2_0176B2BC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h]2_2_0176B2BC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176B2BC mov eax, dword ptr fs:[00000030h]2_2_0176B2BC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168C2B0 mov ecx, dword ptr fs:[00000030h]2_2_0168C2B0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F2AE mov eax, dword ptr fs:[00000030h]2_2_0174F2AE
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017592AB mov eax, dword ptr fs:[00000030h]2_2_017592AB
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E289 mov eax, dword ptr fs:[00000030h]2_2_0170E289
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01697290 mov eax, dword ptr fs:[00000030h]2_2_01697290
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01697290 mov eax, dword ptr fs:[00000030h]2_2_01697290
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01697290 mov eax, dword ptr fs:[00000030h]2_2_01697290
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AC560 mov eax, dword ptr fs:[00000030h]2_2_016AC560
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169254C mov eax, dword ptr fs:[00000030h]2_2_0169254C
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175A553 mov eax, dword ptr fs:[00000030h]2_2_0175A553
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176B55F mov eax, dword ptr fs:[00000030h]2_2_0176B55F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0176B55F mov eax, dword ptr fs:[00000030h]2_2_0176B55F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C6540 mov eax, dword ptr fs:[00000030h]2_2_016C6540
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C8540 mov eax, dword ptr fs:[00000030h]2_2_016C8540
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016AE547 mov eax, dword ptr fs:[00000030h]2_2_016AE547
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A252B mov eax, dword ptr fs:[00000030h]2_2_016A252B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C1527 mov eax, dword ptr fs:[00000030h]2_2_016C1527
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CF523 mov eax, dword ptr fs:[00000030h]2_2_016CF523
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D2539 mov eax, dword ptr fs:[00000030h]2_2_016D2539
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168753F mov eax, dword ptr fs:[00000030h]2_2_0168753F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168753F mov eax, dword ptr fs:[00000030h]2_2_0168753F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168753F mov eax, dword ptr fs:[00000030h]2_2_0168753F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01693536 mov eax, dword ptr fs:[00000030h]2_2_01693536
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01693536 mov eax, dword ptr fs:[00000030h]2_2_01693536
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CC50D mov eax, dword ptr fs:[00000030h]2_2_016CC50D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CC50D mov eax, dword ptr fs:[00000030h]2_2_016CC50D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov ecx, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov ecx, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173F51B mov eax, dword ptr fs:[00000030h]2_2_0173F51B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01692500 mov eax, dword ptr fs:[00000030h]2_2_01692500
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B502 mov eax, dword ptr fs:[00000030h]2_2_0168B502
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171C51D mov eax, dword ptr fs:[00000030h]2_2_0171C51D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE507 mov eax, dword ptr fs:[00000030h]2_2_016BE507
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h]2_2_016B1514
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h]2_2_016B1514
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h]2_2_016B1514
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h]2_2_016B1514
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h]2_2_016B1514
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B1514 mov eax, dword ptr fs:[00000030h]2_2_016B1514
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C15EF mov eax, dword ptr fs:[00000030h]2_2_016C15EF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h]2_2_0169B5E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h]2_2_0169B5E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h]2_2_0169B5E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h]2_2_0169B5E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h]2_2_0169B5E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169B5E0 mov eax, dword ptr fs:[00000030h]2_2_0169B5E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA5E7 mov ebx, dword ptr fs:[00000030h]2_2_016CA5E7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA5E7 mov eax, dword ptr fs:[00000030h]2_2_016CA5E7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171C5FC mov eax, dword ptr fs:[00000030h]2_2_0171C5FC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CC5C6 mov eax, dword ptr fs:[00000030h]2_2_016CC5C6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F5C7 mov eax, dword ptr fs:[00000030h]2_2_0168F5C7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017105C6 mov eax, dword ptr fs:[00000030h]2_2_017105C6
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C65D0 mov eax, dword ptr fs:[00000030h]2_2_016C65D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016945B0 mov eax, dword ptr fs:[00000030h]2_2_016945B0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016945B0 mov eax, dword ptr fs:[00000030h]2_2_016945B0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017185AA mov eax, dword ptr fs:[00000030h]2_2_017185AA
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171C592 mov eax, dword ptr fs:[00000030h]2_2_0171C592
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C9580 mov eax, dword ptr fs:[00000030h]2_2_016C9580
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C9580 mov eax, dword ptr fs:[00000030h]2_2_016C9580
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA580 mov eax, dword ptr fs:[00000030h]2_2_016CA580
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA580 mov eax, dword ptr fs:[00000030h]2_2_016CA580
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F582 mov eax, dword ptr fs:[00000030h]2_2_0174F582
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E588 mov eax, dword ptr fs:[00000030h]2_2_0170E588
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0170E588 mov eax, dword ptr fs:[00000030h]2_2_0170E588
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C2594 mov eax, dword ptr fs:[00000030h]2_2_016C2594
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F478 mov eax, dword ptr fs:[00000030h]2_2_0174F478
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175A464 mov eax, dword ptr fs:[00000030h]2_2_0175A464
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01698470 mov eax, dword ptr fs:[00000030h]2_2_01698470
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01698470 mov eax, dword ptr fs:[00000030h]2_2_01698470
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h]2_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h]2_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h]2_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h]2_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h]2_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A0445 mov eax, dword ptr fs:[00000030h]2_2_016A0445
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h]2_2_016BE45E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h]2_2_016BE45E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h]2_2_016BE45E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h]2_2_016BE45E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE45E mov eax, dword ptr fs:[00000030h]2_2_016BE45E
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CD450 mov eax, dword ptr fs:[00000030h]2_2_016CD450
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CD450 mov eax, dword ptr fs:[00000030h]2_2_016CD450
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h]2_2_0169D454
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h]2_2_0169D454
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h]2_2_0169D454
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h]2_2_0169D454
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h]2_2_0169D454
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D454 mov eax, dword ptr fs:[00000030h]2_2_0169D454
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B420 mov eax, dword ptr fs:[00000030h]2_2_0168B420
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C7425 mov eax, dword ptr fs:[00000030h]2_2_016C7425
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C7425 mov ecx, dword ptr fs:[00000030h]2_2_016C7425
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01719429 mov eax, dword ptr fs:[00000030h]2_2_01719429
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h]2_2_0171F42F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h]2_2_0171F42F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h]2_2_0171F42F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h]2_2_0171F42F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171F42F mov eax, dword ptr fs:[00000030h]2_2_0171F42F
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168640D mov eax, dword ptr fs:[00000030h]2_2_0168640D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01726400 mov eax, dword ptr fs:[00000030h]2_2_01726400
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01726400 mov eax, dword ptr fs:[00000030h]2_2_01726400
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F409 mov eax, dword ptr fs:[00000030h]2_2_0174F409
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE4EF mov eax, dword ptr fs:[00000030h]2_2_016CE4EF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE4EF mov eax, dword ptr fs:[00000030h]2_2_016CE4EF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F4FD mov eax, dword ptr fs:[00000030h]2_2_0174F4FD
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C54E0 mov eax, dword ptr fs:[00000030h]2_2_016C54E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B94FA mov eax, dword ptr fs:[00000030h]2_2_016B94FA
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016964F0 mov eax, dword ptr fs:[00000030h]2_2_016964F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA4F0 mov eax, dword ptr fs:[00000030h]2_2_016CA4F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA4F0 mov eax, dword ptr fs:[00000030h]2_2_016CA4F0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h]2_2_016B14C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h]2_2_016B14C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h]2_2_016B14C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h]2_2_016B14C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B14C9 mov eax, dword ptr fs:[00000030h]2_2_016B14C9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B44D1 mov eax, dword ptr fs:[00000030h]2_2_016B44D1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B44D1 mov eax, dword ptr fs:[00000030h]2_2_016B44D1
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BF4D0 mov eax, dword ptr fs:[00000030h]2_2_016BF4D0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C44A8 mov eax, dword ptr fs:[00000030h]2_2_016C44A8
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016924A2 mov eax, dword ptr fs:[00000030h]2_2_016924A2
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016924A2 mov ecx, dword ptr fs:[00000030h]2_2_016924A2
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CE4BC mov eax, dword ptr fs:[00000030h]2_2_016CE4BC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171D4A0 mov ecx, dword ptr fs:[00000030h]2_2_0171D4A0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171D4A0 mov eax, dword ptr fs:[00000030h]2_2_0171D4A0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171D4A0 mov eax, dword ptr fs:[00000030h]2_2_0171D4A0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0171C490 mov eax, dword ptr fs:[00000030h]2_2_0171C490
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C648A mov eax, dword ptr fs:[00000030h]2_2_016C648A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C648A mov eax, dword ptr fs:[00000030h]2_2_016C648A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C648A mov eax, dword ptr fs:[00000030h]2_2_016C648A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01690485 mov ecx, dword ptr fs:[00000030h]2_2_01690485
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CB490 mov eax, dword ptr fs:[00000030h]2_2_016CB490
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CB490 mov eax, dword ptr fs:[00000030h]2_2_016CB490
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016A2760 mov ecx, dword ptr fs:[00000030h]2_2_016A2760
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h]2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h]2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h]2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h]2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h]2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016D1763 mov eax, dword ptr fs:[00000030h]2_2_016D1763
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01694779 mov eax, dword ptr fs:[00000030h]2_2_01694779
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_01694779 mov eax, dword ptr fs:[00000030h]2_2_01694779
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C0774 mov eax, dword ptr fs:[00000030h]2_2_016C0774
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0173E750 mov eax, dword ptr fs:[00000030h]2_2_0173E750
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C174A mov eax, dword ptr fs:[00000030h]2_2_016C174A
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016C3740 mov eax, dword ptr fs:[00000030h]2_2_016C3740
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168F75B mov eax, dword ptr fs:[00000030h]2_2_0168F75B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016CA750 mov eax, dword ptr fs:[00000030h]2_2_016CA750
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h]2_2_016B2755
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h]2_2_016B2755
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h]2_2_016B2755
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2755 mov ecx, dword ptr fs:[00000030h]2_2_016B2755
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h]2_2_016B2755
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B2755 mov eax, dword ptr fs:[00000030h]2_2_016B2755
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B9723 mov eax, dword ptr fs:[00000030h]2_2_016B9723
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F717 mov eax, dword ptr fs:[00000030h]2_2_0174F717
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B270D mov eax, dword ptr fs:[00000030h]2_2_016B270D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B270D mov eax, dword ptr fs:[00000030h]2_2_016B270D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016B270D mov eax, dword ptr fs:[00000030h]2_2_016B270D
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169D700 mov ecx, dword ptr fs:[00000030h]2_2_0169D700
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h]2_2_0168B705
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h]2_2_0168B705
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h]2_2_0168B705
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0168B705 mov eax, dword ptr fs:[00000030h]2_2_0168B705
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169471B mov eax, dword ptr fs:[00000030h]2_2_0169471B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0169471B mov eax, dword ptr fs:[00000030h]2_2_0169471B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175970B mov eax, dword ptr fs:[00000030h]2_2_0175970B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175970B mov eax, dword ptr fs:[00000030h]2_2_0175970B
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016BE7E0 mov eax, dword ptr fs:[00000030h]2_2_016BE7E0
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016937E4 mov eax, dword ptr fs:[00000030h]2_2_016937E4
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016977F9 mov eax, dword ptr fs:[00000030h]2_2_016977F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016977F9 mov eax, dword ptr fs:[00000030h]2_2_016977F9
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0174F7CF mov eax, dword ptr fs:[00000030h]2_2_0174F7CF
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_017617BC mov eax, dword ptr fs:[00000030h]2_2_017617BC
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_016907A7 mov eax, dword ptr fs:[00000030h]2_2_016907A7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeCode function: 2_2_0175D7A7 mov eax, dword ptr fs:[00000030h]2_2_0175D7A7
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FF8D33E9E7F
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x4767F1DJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeNtClose: Indirect: 0x19BF629
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x476816BJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeNtQueueApcThread: Indirect: 0x19BF598Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x476FC82Jump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeNtSuspendThread: Indirect: 0x19C3ADDJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeNtResumeThread: Indirect: 0x19C3DEDJump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FF9076C2651Jump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeNtSetContextThread: Indirect: 0x19C37CDJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeMemory written: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeSection loaded: NULL target: C:\Windows\SysWOW64\RpcPing.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeThread register set: target process: 7608Jump to behavior
            Source: C:\Windows\SysWOW64\RpcPing.exeThread register set: target process: 7608Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeProcess created: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe "C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe"Jump to behavior
            Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\RpcPing.exe "C:\Windows\SysWOW64\RpcPing.exe"Jump to behavior
            Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018185324.0000000000B81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180020314207.00000000041C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180017693905.0000000000573000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
            Source: RAVCpl64.exe, 00000003.00000002.183140108800.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.178472841975.0000000000DA0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.180018185324.0000000000B81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000003.180694225109.0000000002A1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.180018765273.0000000002A1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.183140110315.0000000002A1E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndmQX#
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeQueries volume information: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\ORIGINAL INVOICE COAU7230734293.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.ORIGINAL INVOICE COAU7230734293.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.178538615808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.178539531336.00000000011B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180095014351.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.180094934887.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		1
            Masquerading            		OS Credential Dumping121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets112
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Timestomp            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.