Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice 1425004091.exe

Overview

General Information

Sample name:Invoice 1425004091.exe
Analysis ID:1640450
MD5:7336ce3ed0cafc3728cac0e7ab056872
SHA1:0d6d6e478462af02bb54957a3c2b1760d1d3d462
SHA256:799e2a0426beeafc490746851d8992cd169ed89c3d4244459f531a9f4fa72375
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Invoice 1425004091.exe (PID: 5420 cmdline: "C:\Users\user\Desktop\Invoice 1425004091.exe" MD5: 7336CE3ED0CAFC3728CAC0E7AB056872)
    • Invoice 1425004091.exe (PID: 4680 cmdline: "C:\Users\user\Desktop\Invoice 1425004091.exe" MD5: 7336CE3ED0CAFC3728CAC0E7AB056872)
      • VSYBJyfGvx9hmVCehuRluIy.exe (PID: 1820 cmdline: "C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\BOePCalyzp.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • dxdiag.exe (PID: 5304 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
          • VSYBJyfGvx9hmVCehuRluIy.exe (PID: 5436 cmdline: "C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\yclAiT7mNA.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7376 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3318682670.00000000047E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1325406897.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1331760205.00000000037D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000C.00000002.3320610474.0000000004FE0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.3316270446.0000000000A50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Invoice 1425004091.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.Invoice 1425004091.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-17T10:44:10.648150+010028554651A Network Trojan was detected192.168.2.74969213.248.169.4880TCP
                2025-03-17T10:44:33.855046+010028554651A Network Trojan was detected192.168.2.74969613.248.169.4880TCP
                2025-03-17T10:44:47.238511+010028554651A Network Trojan was detected192.168.2.74970013.248.169.4880TCP
                2025-03-17T10:45:09.469759+010028554651A Network Trojan was detected192.168.2.74970413.248.169.4880TCP
                2025-03-17T10:45:22.820259+010028554651A Network Trojan was detected192.168.2.749708217.160.0.23680TCP
                2025-03-17T10:45:36.117026+010028554651A Network Trojan was detected192.168.2.749712209.74.77.23080TCP
                2025-03-17T10:45:49.337543+010028554651A Network Trojan was detected192.168.2.749716199.59.243.22880TCP
                2025-03-17T10:46:03.680674+010028554651A Network Trojan was detected192.168.2.749720107.148.6.14580TCP
                2025-03-17T10:46:16.842140+010028554651A Network Trojan was detected192.168.2.74972413.248.169.4880TCP
                2025-03-17T10:46:30.555679+010028554651A Network Trojan was detected192.168.2.749728188.114.97.380TCP
                2025-03-17T10:46:51.767791+010028554651A Network Trojan was detected192.168.2.7497323.33.130.19080TCP
                2025-03-17T10:47:05.036106+010028554651A Network Trojan was detected192.168.2.74973613.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-17T10:44:26.220679+010028554641A Network Trojan was detected192.168.2.74969313.248.169.4880TCP
                2025-03-17T10:44:28.728681+010028554641A Network Trojan was detected192.168.2.74969413.248.169.4880TCP
                2025-03-17T10:44:31.285890+010028554641A Network Trojan was detected192.168.2.74969513.248.169.4880TCP
                2025-03-17T10:44:39.371702+010028554641A Network Trojan was detected192.168.2.74969713.248.169.4880TCP
                2025-03-17T10:44:42.065253+010028554641A Network Trojan was detected192.168.2.74969813.248.169.4880TCP
                2025-03-17T10:44:44.668461+010028554641A Network Trojan was detected192.168.2.74969913.248.169.4880TCP
                2025-03-17T10:45:00.815618+010028554641A Network Trojan was detected192.168.2.74970113.248.169.4880TCP
                2025-03-17T10:45:03.353007+010028554641A Network Trojan was detected192.168.2.74970213.248.169.4880TCP
                2025-03-17T10:45:05.930773+010028554641A Network Trojan was detected192.168.2.74970313.248.169.4880TCP
                2025-03-17T10:45:15.149693+010028554641A Network Trojan was detected192.168.2.749705217.160.0.23680TCP
                2025-03-17T10:45:17.716262+010028554641A Network Trojan was detected192.168.2.749706217.160.0.23680TCP
                2025-03-17T10:45:20.252666+010028554641A Network Trojan was detected192.168.2.749707217.160.0.23680TCP
                2025-03-17T10:45:28.450790+010028554641A Network Trojan was detected192.168.2.749709209.74.77.23080TCP
                2025-03-17T10:45:30.993357+010028554641A Network Trojan was detected192.168.2.749710209.74.77.23080TCP
                2025-03-17T10:45:33.560950+010028554641A Network Trojan was detected192.168.2.749711209.74.77.23080TCP
                2025-03-17T10:45:41.658977+010028554641A Network Trojan was detected192.168.2.749713199.59.243.22880TCP
                2025-03-17T10:45:44.211216+010028554641A Network Trojan was detected192.168.2.749714199.59.243.22880TCP
                2025-03-17T10:45:46.776056+010028554641A Network Trojan was detected192.168.2.749715199.59.243.22880TCP
                2025-03-17T10:45:55.836336+010028554641A Network Trojan was detected192.168.2.749717107.148.6.14580TCP
                2025-03-17T10:45:58.404545+010028554641A Network Trojan was detected192.168.2.749718107.148.6.14580TCP
                2025-03-17T10:46:01.066121+010028554641A Network Trojan was detected192.168.2.749719107.148.6.14580TCP
                2025-03-17T10:46:09.195757+010028554641A Network Trojan was detected192.168.2.74972113.248.169.4880TCP
                2025-03-17T10:46:11.736086+010028554641A Network Trojan was detected192.168.2.74972213.248.169.4880TCP
                2025-03-17T10:46:14.298837+010028554641A Network Trojan was detected192.168.2.74972313.248.169.4880TCP
                2025-03-17T10:46:23.419700+010028554641A Network Trojan was detected192.168.2.749725188.114.97.380TCP
                2025-03-17T10:46:25.044028+010028554641A Network Trojan was detected192.168.2.749726188.114.97.380TCP
                2025-03-17T10:46:28.519438+010028554641A Network Trojan was detected192.168.2.749727188.114.97.380TCP
                2025-03-17T10:46:44.114496+010028554641A Network Trojan was detected192.168.2.7497293.33.130.19080TCP
                2025-03-17T10:46:46.665493+010028554641A Network Trojan was detected192.168.2.7497303.33.130.19080TCP
                2025-03-17T10:46:49.216229+010028554641A Network Trojan was detected192.168.2.7497313.33.130.19080TCP
                2025-03-17T10:46:57.276555+010028554641A Network Trojan was detected192.168.2.74973313.248.169.4880TCP
                2025-03-17T10:46:59.849127+010028554641A Network Trojan was detected192.168.2.74973413.248.169.4880TCP
                2025-03-17T10:47:02.454479+010028554641A Network Trojan was detected192.168.2.74973513.248.169.4880TCP
                2025-03-17T10:47:10.546212+010028554641A Network Trojan was detected192.168.2.74973713.248.169.4880TCP
                2025-03-17T10:47:13.073561+010028554641A Network Trojan was detected192.168.2.74973813.248.169.4880TCP
                2025-03-17T10:47:16.121611+010028554641A Network Trojan was detected192.168.2.74973913.248.169.4880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.blockchaintourism.xyz/t3sb/?dNLhe=HEteVdb0loX9TCJI+WJeoiAIOXww3dimQfLEmfsRQz8PUBwhHxoP95aVQBoW2e/8thx8RB/zzSUPBfvuAUDaX+Fu9LTmJCmvPkfa/9Jh44RZMXqLS+xgEnMLDCKwL8ZJa8GFqhPLfwQy&gbNx6=gT_x-pMhGvAvira URL Cloud: Label: malware
                Source: http://www.thisisnonft.studio/n045/Avira URL Cloud: Label: malware
                Source: http://www.thisisnonft.studio/n045/?dNLhe=Kg1/aFpGKMnhVBEUkiOsjo/Al7l9+YbzleOSUoobpbOI+fIV4I892KjJed3c+mujHuz90NdIU5GCAy6IeTvEZGxdu2StQe9sxBs31yV7/9N3qpWK+TRYHjMCmMpl8W4N/BxctWRTzKNM&gbNx6=gT_x-pMhGvAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Invoice 1425004091.exeVirustotal: Detection: 35%Perma Link
                Source: Invoice 1425004091.exeReversingLabs: Detection: 23%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3318682670.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1325406897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1331760205.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3320610474.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3316270446.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3318732161.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1329547108.0000000001A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3318435329.0000000002720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Invoice 1425004091.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Invoice 1425004091.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: dxdiag.pdbGCTL source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317181546.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: OgKq.pdbSHA256U source: Invoice 1425004091.exe
                Source: Binary string: wntdll.pdbUGP source: Invoice 1425004091.exe, 00000001.00000002.1327748198.0000000001710000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1324503246.000000000462A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1330956100.00000000047D1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004980000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: dxdiag.pdb source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317181546.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Invoice 1425004091.exe, Invoice 1425004091.exe, 00000001.00000002.1327748198.0000000001710000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, dxdiag.exe, 00000005.00000003.1324503246.000000000462A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1330956100.00000000047D1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004980000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: OgKq.pdb source: Invoice 1425004091.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317654473.0000000000DCF000.00000002.00000001.01000000.0000000D.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000000.1395281636.0000000000DCF000.00000002.00000001.01000000.0000000D.sdmp
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6C9E0 FindFirstFileW,FindNextFileW,FindClose,5_2_00A6C9E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 4x nop then jmp 0695F273h0_2_0695EF3A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 4x nop then xor esi, esi1_2_00418AEA
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 4x nop then xor eax, eax5_2_00A59F10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 4x nop then mov ebx, 00000004h5_2_04CD04DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49724 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49716 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49702 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49697 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49704 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49726 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49738 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49706 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49693 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49692 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49707 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49705 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49713 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49711 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49694 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49710 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49703 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49696 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49701 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49732 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49718 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49699 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49712 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49737 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49717 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49698 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49700 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49733 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49734 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49695 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49715 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49723 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49709 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49714 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49708 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49731 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49727 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49730 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49721 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49728 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49722 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49725 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49739 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49720 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49719 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49735 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49729 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49736 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.seekmeme.xyz
                Source: DNS query: www.myfort.xyz
                Source: DNS query: www.blockchaintourism.xyz
                Source: DNS query: www.persembunyian.xyz
                Source: DNS query: www.kantad.xyz
                Source: DNS query: www.tether1.xyz
                Source: DNS query: www.furacao.xyz
                Source: DNS query: www.drlara.xyz
                Source: DNS query: www.bawiin.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /jnjq/?gbNx6=gT_x-pMhGv&dNLhe=fYRBpq79/vdLM/DPr0STJdujI9Hvvyjl68e08EeOFQJvBUWO3am1R+W+phJmgy/s/r3iuW7pGCpbnyWZa3Gh+JImBwQa/uUuwiouVuJaBeWmWRcPv4/P6c1dGsHPFNnLQyNwRwr2goKy HTTP/1.1Host: www.seekmeme.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /regg/?dNLhe=PAmcXzTqSfUijjzHpTnYcBrTkM71lW81c3IHYjA8Krt584xkA/rjcOMKFKFzXd5oQDUyuOhJZTtnd+0gRL9oiE5smU571ilO9BZk7VwjJizt+8XrbYOCX8K+190CHnsq9bXqz15Nkwn4&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.myfort.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /t3sb/?dNLhe=HEteVdb0loX9TCJI+WJeoiAIOXww3dimQfLEmfsRQz8PUBwhHxoP95aVQBoW2e/8thx8RB/zzSUPBfvuAUDaX+Fu9LTmJCmvPkfa/9Jh44RZMXqLS+xgEnMLDCKwL8ZJa8GFqhPLfwQy&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.blockchaintourism.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /bi7u/?gbNx6=gT_x-pMhGv&dNLhe=nHws1j0sm5LWhKJJnbe21mmb58UCBJmF8923TJe5xzXsLv8edAM+FUf+gOM1c/pFatMF3UDmCvERFe3bt+SyjHc5ZiaSSSBSLpEckqXkNS8etgej5TYqkszUgW+sNhDf7dhaqqoLdvf8 HTTP/1.1Host: www.iooe.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /n045/?dNLhe=Kg1/aFpGKMnhVBEUkiOsjo/Al7l9+YbzleOSUoobpbOI+fIV4I892KjJed3c+mujHuz90NdIU5GCAy6IeTvEZGxdu2StQe9sxBs31yV7/9N3qpWK+TRYHjMCmMpl8W4N/BxctWRTzKNM&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.thisisnonft.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /zhv2/?gbNx6=gT_x-pMhGv&dNLhe=dDSKm3gEoRYza6KS01eFBOW+DHfLHGjXV+uzWu228M6JzN3Pvry6D8nAjFeivr8BLh4TFOP1Uj2+Tn25f8DVw8cSEQu05FVxISI5XCZZplklxVNpoFW1pyDl0LWezI7wFoP0t5Z7GW10 HTTP/1.1Host: www.thriay.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /x6ep/?dNLhe=T32mkHhYAlDJyMIwLNAVwmYk4HIRA0B53CrBP/3sN9QNlPQDRbZAJkxC5z+ku75vBkQpYxnkW8kZgrxJCLfFr0CFydWUtogBjgDQzESnAVpEaNYPDvHlOxtnBmDQtv7sDFOWuhBsloVL&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.gane4.latAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /ij9y/?dNLhe=LIb/uEPn3lmrqfs3TAu+/35i1KslXCI+02hK0TSGrwRYZJ3EF/TIBXPgi0s5v7w1XQ5TaOVn95AhXneeny4wfenv+n7q/s6rpIXugBL5QQcirBjye1+gTDyIs1m9/yCoh8bCONff/6Pp&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.10134.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /2kmu/?dNLhe=JcbGVkyLHk7wbXdwn85f36qeJ8pQZFnpm41F3OM3CJfGfheODZEGFIK9J0d9CWKa2BXzqygSoakPLEpaLUVudqBoA+zEqVwdTzRyrQYP4JbFMwZOp25tNGiWR8lz8LanRhuSu8rqDwSc&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.kantad.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /focp/?dNLhe=mXJHtAZSrcMVNAYB/qej32QGG4aLUkMzhzcfA/LZkfgqhdihAxT3aslAf9nOYajIz7QizkjlvIUHcb1FopIoGDdhUDGL//B50NOy0WhfCDI0Lf1grDIojnPoK1praCsucVOHGMF0wK5r&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.tether1.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /mbjv/?gbNx6=gT_x-pMhGv&dNLhe=5qUXdsyzVae3u/RhTkf8er3XzTCYYONcm4gvK8eGl2rHQDMBjzLvTzE75Mlc27Grgu3TUA1LZ1fwZl+kwnQTLUV/r6kc4xZdg7EpTBFc0gneTPK9qTYOJzI/CKBNB7FgyMUmN+ZgUsV1 HTTP/1.1Host: www.ylv.mediaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /mhbk/?dNLhe=uO2wLjIG0b4Su6/kfGnOO+pQMK5iUkKX97SIZogVbo5+e7EyyTKvOuKHK9kJs5pDbWJlx2sesrX2UqKYhYH+vWsGGYZwRfhYSPpGbK0vt8gTSipd7BEmv1V/DemLDHqIjEUdcGasLLqG&gbNx6=gT_x-pMhGv HTTP/1.1Host: www.drlara.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficDNS traffic detected: DNS query: www.seekmeme.xyz
                Source: global trafficDNS traffic detected: DNS query: www.myfort.xyz
                Source: global trafficDNS traffic detected: DNS query: www.blockchaintourism.xyz
                Source: global trafficDNS traffic detected: DNS query: www.persembunyian.xyz
                Source: global trafficDNS traffic detected: DNS query: www.iooe.net
                Source: global trafficDNS traffic detected: DNS query: www.thisisnonft.studio
                Source: global trafficDNS traffic detected: DNS query: www.thriay.website
                Source: global trafficDNS traffic detected: DNS query: www.gane4.lat
                Source: global trafficDNS traffic detected: DNS query: www.10134.app
                Source: global trafficDNS traffic detected: DNS query: www.kantad.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tether1.xyz
                Source: global trafficDNS traffic detected: DNS query: www.furacao.xyz
                Source: global trafficDNS traffic detected: DNS query: www.ylv.media
                Source: global trafficDNS traffic detected: DNS query: www.drlara.xyz
                Source: global trafficDNS traffic detected: DNS query: www.bawiin.xyz
                Source: unknownHTTP traffic detected: POST /regg/ HTTP/1.1Host: www.myfort.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 218Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.myfort.xyzReferer: http://www.myfort.xyz/regg/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)Data Raw: 64 4e 4c 68 65 3d 43 43 4f 38 55 46 66 58 51 65 41 77 38 44 6e 72 69 7a 65 36 5a 6a 75 31 71 49 36 78 6b 57 67 4a 64 33 77 43 51 41 38 65 42 4a 63 62 69 62 74 78 4f 65 6a 4e 43 4e 34 30 44 75 4a 76 47 76 64 63 58 6a 35 42 76 63 46 66 5a 7a 4e 73 4b 4b 77 38 52 38 31 34 6c 58 30 55 31 55 6b 42 73 41 35 37 7a 41 78 6e 79 56 6b 36 48 7a 2f 57 32 63 44 4d 61 34 61 51 4b 71 36 56 73 65 6c 67 57 48 6b 7a 35 62 2f 6c 34 56 4e 42 6a 78 4c 37 75 72 4b 47 39 6b 4b 6a 2b 36 2b 68 38 67 4f 69 63 66 77 6c 38 50 4f 57 76 4b 33 51 4f 64 51 71 65 48 42 46 68 38 61 77 4b 6b 6b 63 64 63 66 6f 53 48 59 67 7a 2f 57 6d 75 6c 59 77 39 49 36 55 70 35 44 4b 38 51 3d 3d Data Ascii: dNLhe=CCO8UFfXQeAw8Dnrize6Zju1qI6xkWgJd3wCQA8eBJcbibtxOejNCN40DuJvGvdcXj5BvcFfZzNsKKw8R814lX0U1UkBsA57zAxnyVk6Hz/W2cDMa4aQKq6VselgWHkz5b/l4VNBjxL7urKG9kKj+6+h8gOicfwl8POWvK3QOdQqeHBFh8awKkkcdcfoSHYgz/WmulYw9I6Up5DK8Q==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Mon, 17 Mar 2025 09:45:15 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Mon, 17 Mar 2025 09:45:17 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Mon, 17 Mar 2025 09:45:20 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeX-WS-RateLimit-Limit: 100X-WS-RateLimit-Remaining: 99Date: Mon, 17 Mar 2025 09:45:22 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 09:45:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 09:45:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 09:45:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2025 09:45:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 09:45:55 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 09:45:58 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 09:46:00 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Mar 2025 09:46:03 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3320610474.0000000005033000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bawiin.xyz
                Source: VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3320610474.0000000005033000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bawiin.xyz/ys2n/
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf#
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: dxdiag.exe, 00000005.00000003.1504108960.0000000007CFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: dxdiag.exe, 00000005.00000002.3319297973.0000000005F42000.00000004.10000000.00040000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3321375176.00000000079C0000.00000004.00000800.00020000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3318813352.0000000003A92000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3318682670.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1325406897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1331760205.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3320610474.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3316270446.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3318732161.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1329547108.0000000001A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3318435329.0000000002720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Invoice 1425004091.exe
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0042CC13 NtClose,1_2_0042CC13
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782B60 NtClose,LdrInitializeThunk,1_2_01782B60
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_01782DF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_01782C70
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017835C0 NtCreateMutant,LdrInitializeThunk,1_2_017835C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01784340 NtSetContextThread,1_2_01784340
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01784650 NtSuspendThread,1_2_01784650
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782BF0 NtAllocateVirtualMemory,1_2_01782BF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782BE0 NtQueryValueKey,1_2_01782BE0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782BA0 NtEnumerateValueKey,1_2_01782BA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782B80 NtQueryInformationFile,1_2_01782B80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782AF0 NtWriteFile,1_2_01782AF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782AD0 NtReadFile,1_2_01782AD0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782AB0 NtWaitForSingleObject,1_2_01782AB0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782D30 NtUnmapViewOfSection,1_2_01782D30
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782D10 NtMapViewOfSection,1_2_01782D10
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782D00 NtSetInformationFile,1_2_01782D00
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782DD0 NtDelayExecution,1_2_01782DD0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782DB0 NtEnumerateKey,1_2_01782DB0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782C60 NtCreateKey,1_2_01782C60
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782C00 NtQueryInformationProcess,1_2_01782C00
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782CF0 NtOpenProcess,1_2_01782CF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782CC0 NtQueryVirtualMemory,1_2_01782CC0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782CA0 NtQueryInformationToken,1_2_01782CA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782F60 NtCreateProcessEx,1_2_01782F60
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782F30 NtCreateSection,1_2_01782F30
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782FE0 NtCreateFile,1_2_01782FE0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782FB0 NtResumeThread,1_2_01782FB0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782FA0 NtQuerySection,1_2_01782FA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782F90 NtProtectVirtualMemory,1_2_01782F90
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782E30 NtWriteVirtualMemory,1_2_01782E30
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782EE0 NtQueueApcThread,1_2_01782EE0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782EA0 NtAdjustPrivilegesToken,1_2_01782EA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782E80 NtReadVirtualMemory,1_2_01782E80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01783010 NtOpenDirectoryObject,1_2_01783010
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01783090 NtSetValueKey,1_2_01783090
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017839B0 NtGetContextThread,1_2_017839B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01783D70 NtOpenThread,1_2_01783D70
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01783D10 NtOpenProcessToken,1_2_01783D10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F4650 NtSuspendThread,LdrInitializeThunk,5_2_049F4650
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F4340 NtSetContextThread,LdrInitializeThunk,5_2_049F4340
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_049F2CA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_049F2C70
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2C60 NtCreateKey,LdrInitializeThunk,5_2_049F2C60
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2DD0 NtDelayExecution,LdrInitializeThunk,5_2_049F2DD0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_049F2DF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_049F2D10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_049F2D30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_049F2E80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_049F2EE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2FB0 NtResumeThread,LdrInitializeThunk,5_2_049F2FB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2FE0 NtCreateFile,LdrInitializeThunk,5_2_049F2FE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2F30 NtCreateSection,LdrInitializeThunk,5_2_049F2F30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2AD0 NtReadFile,LdrInitializeThunk,5_2_049F2AD0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2AF0 NtWriteFile,LdrInitializeThunk,5_2_049F2AF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_049F2BA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_049F2BF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_049F2BE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2B60 NtClose,LdrInitializeThunk,5_2_049F2B60
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F35C0 NtCreateMutant,LdrInitializeThunk,5_2_049F35C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F39B0 NtGetContextThread,LdrInitializeThunk,5_2_049F39B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2CC0 NtQueryVirtualMemory,5_2_049F2CC0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2CF0 NtOpenProcess,5_2_049F2CF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2C00 NtQueryInformationProcess,5_2_049F2C00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2DB0 NtEnumerateKey,5_2_049F2DB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2D00 NtSetInformationFile,5_2_049F2D00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2EA0 NtAdjustPrivilegesToken,5_2_049F2EA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2E30 NtWriteVirtualMemory,5_2_049F2E30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2F90 NtProtectVirtualMemory,5_2_049F2F90
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2FA0 NtQuerySection,5_2_049F2FA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2F60 NtCreateProcessEx,5_2_049F2F60
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2AB0 NtWaitForSingleObject,5_2_049F2AB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F2B80 NtQueryInformationFile,5_2_049F2B80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F3090 NtSetValueKey,5_2_049F3090
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F3010 NtOpenDirectoryObject,5_2_049F3010
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F3D10 NtOpenProcessToken,5_2_049F3D10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F3D70 NtOpenThread,5_2_049F3D70
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A79570 NtCreateFile,5_2_00A79570
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A796E0 NtReadFile,5_2_00A796E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A797D0 NtDeleteFile,5_2_00A797D0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A79870 NtClose,5_2_00A79870
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A799D0 NtAllocateVirtualMemory,5_2_00A799D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_00BDD6FC0_2_00BDD6FC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695D22C0_2_0695D22C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695A7180_2_0695A718
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695A7080_2_0695A708
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_069572BA0_2_069572BA
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695A2D00_2_0695A2D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695A2E00_2_0695A2E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695AF880_2_0695AF88
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695CA100_2_0695CA10
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695CA200_2_0695CA20
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_06955A220_2_06955A22
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 0_2_0695AB500_2_0695AB50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00418B531_2_00418B53
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_004031001_2_00403100
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0042F2431_2_0042F243
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00402BC01_2_00402BC0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_004103B31_2_004103B3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00402BB31_2_00402BB3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00416D631_2_00416D63
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00416D681_2_00416D68
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0040250C1_2_0040250C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_004025101_2_00402510
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0040E5C31_2_0040E5C3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_004105D31_2_004105D3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0040E5BA1_2_0040E5BA
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00402EA01_2_00402EA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0040E70E1_2_0040E70E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0040E7131_2_0040E713
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018041A21_2_018041A2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D81581_2_017D8158
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018101AA1_2_018101AA
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018081CC1_2_018081CC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EA1181_2_017EA118
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017401001_2_01740100
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E20001_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018103E61_2_018103E6
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E3F01_2_0175E3F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180A3521_2_0180A352
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F02741_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D02C01_2_017D02C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018105911_2_01810591
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017505351_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F44201_2_017F4420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FE4F61_2_017FE4F6
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018024461_2_01802446
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017507701_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017747501_2_01774750
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174C7C01_2_0174C7C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176C6E01_2_0176C6E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017669621_2_01766962
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0181A9A61_2_0181A9A6
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A01_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017528401_2_01752840
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175A8401_2_0175A840
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E8F01_2_0177E8F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017368B81_2_017368B8
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01806BD71_2_01806BD7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180AB401_2_0180AB40
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA801_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017ECD1F1_2_017ECD1F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175AD001_2_0175AD00
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174ADE01_2_0174ADE0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01768DBF1_2_01768DBF
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750C001_2_01750C00
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740CF21_2_01740CF2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0CB51_2_017F0CB5
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C4F401_2_017C4F40
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01770F301_2_01770F30
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F2F301_2_017F2F30
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01792F281_2_01792F28
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175CFE01_2_0175CFE0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01742FC81_2_01742FC8
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CEFA01_2_017CEFA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180CE931_2_0180CE93
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750E591_2_01750E59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180EEDB1_2_0180EEDB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180EE261_2_0180EE26
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762E901_2_01762E90
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173F1721_2_0173F172
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178516C1_2_0178516C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175B1B01_2_0175B1B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0181B16B1_2_0181B16B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180F0E01_2_0180F0E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018070E91_2_018070E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FF0CC1_2_017FF0CC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017570C01_2_017570C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173D34C1_2_0173D34C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180132D1_2_0180132D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0179739A1_2_0179739A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F12ED1_2_017F12ED
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176B2C01_2_0176B2C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017552A01_2_017552A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017ED5B01_2_017ED5B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018075711_2_01807571
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017414601_2_01741460
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180F43F1_2_0180F43F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180F7B01_2_0180F7B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017956301_2_01795630
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018016CC1_2_018016CC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017599501_2_01759950
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176B9501_2_0176B950
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E59101_2_017E5910
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BD8001_2_017BD800
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017538E01_2_017538E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178DBF91_2_0178DBF9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C5BF01_2_017C5BF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180FB761_2_0180FB76
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176FB801_2_0176FB80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C3A6C1_2_017C3A6C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FDAC61_2_017FDAC6
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01807A461_2_01807A46
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180FA491_2_0180FA49
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EDAAC1_2_017EDAAC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01795AA01_2_01795AA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F1AA31_2_017F1AA3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01753D401_2_01753D40
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176FDC01_2_0176FDC0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01801D5A1_2_01801D5A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01807D731_2_01807D73
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C9C321_2_017C9C32
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180FCF21_2_0180FCF2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180FFB11_2_0180FFB1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180FF091_2_0180FF09
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01751F921_2_01751F92
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01759EB01_2_01759EB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A6E4F65_2_04A6E4F6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A644205_2_04A64420
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A724465_2_04A72446
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A805915_2_04A80591
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C05355_2_049C0535
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049DC6E05_2_049DC6E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049BC7C05_2_049BC7C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049E47505_2_049E4750
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C07705_2_049C0770
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A520005_2_04A52000
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A801AA5_2_04A801AA
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A741A25_2_04A741A2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A781CC5_2_04A781CC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049B01005_2_049B0100
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A5A1185_2_04A5A118
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A481585_2_04A48158
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A402C05_2_04A402C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A602745_2_04A60274
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A803E65_2_04A803E6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049CE3F05_2_049CE3F0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7A3525_2_04A7A352
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A60CB55_2_04A60CB5
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049B0CF25_2_049B0CF2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C0C005_2_049C0C00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049D8DBF5_2_049D8DBF
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049BADE05_2_049BADE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049CAD005_2_049CAD00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A5CD1F5_2_04A5CD1F
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049D2E905_2_049D2E90
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7CE935_2_04A7CE93
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7EEDB5_2_04A7EEDB
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7EE265_2_04A7EE26
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C0E595_2_049C0E59
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A3EFA05_2_04A3EFA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049B2FC85_2_049B2FC8
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049CCFE05_2_049CCFE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A02F285_2_04A02F28
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A62F305_2_04A62F30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049E0F305_2_049E0F30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A34F405_2_04A34F40
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049A68B85_2_049A68B8
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049EE8F05_2_049EE8F0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049CA8405_2_049CA840
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C28405_2_049C2840
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A8A9A65_2_04A8A9A6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C29A05_2_049C29A0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049D69625_2_049D6962
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049BEA805_2_049BEA80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A76BD75_2_04A76BD7
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7AB405_2_04A7AB40
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7F43F5_2_04A7F43F
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049B14605_2_049B1460
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A5D5B05_2_04A5D5B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A775715_2_04A77571
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A716CC5_2_04A716CC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A056305_2_04A05630
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7F7B05_2_04A7F7B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7F0E05_2_04A7F0E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A770E95_2_04A770E9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C70C05_2_049C70C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A6F0CC5_2_04A6F0CC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049CB1B05_2_049CB1B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A8B16B5_2_04A8B16B
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049AF1725_2_049AF172
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049F516C5_2_049F516C
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C52A05_2_049C52A0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A612ED5_2_04A612ED
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049DB2C05_2_049DB2C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A0739A5_2_04A0739A
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7132D5_2_04A7132D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049AD34C5_2_049AD34C
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7FCF25_2_04A7FCF2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A39C325_2_04A39C32
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049DFDC05_2_049DFDC0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A77D735_2_04A77D73
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C3D405_2_049C3D40
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A71D5A5_2_04A71D5A
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C9EB05_2_049C9EB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C1F925_2_049C1F92
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7FFB15_2_04A7FFB1
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04983FD25_2_04983FD2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04983FD55_2_04983FD5
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7FF095_2_04A7FF09
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C38E05_2_049C38E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A2D8005_2_04A2D800
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A559105_2_04A55910
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049C99505_2_049C9950
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049DB9505_2_049DB950
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A05AA05_2_04A05AA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A61AA35_2_04A61AA3
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A5DAAC5_2_04A5DAAC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A6DAC65_2_04A6DAC6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A33A6C5_2_04A33A6C
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A77A465_2_04A77A46
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7FA495_2_04A7FA49
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049DFB805_2_049DFB80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A35BF05_2_04A35BF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049FDBF95_2_049FDBF9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04A7FB765_2_04A7FB76
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A621205_2_00A62120
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A5D0105_2_00A5D010
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A5B2205_2_00A5B220
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A5D2305_2_00A5D230
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A5B2175_2_00A5B217
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A5B36B5_2_00A5B36B
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A5B3705_2_00A5B370
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A657B05_2_00A657B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A639C55_2_00A639C5
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A639C05_2_00A639C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A7BEA05_2_00A7BEA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDE4A35_2_04CDE4A3
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CE54245_2_04CE5424
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDE3845_2_04CDE384
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDE83D5_2_04CDE83D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDD9085_2_04CDD908
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CE5BD15_2_04CE5BD1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: String function: 017CF290 appears 105 times
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: String function: 01797E54 appears 102 times
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: String function: 0173B970 appears 280 times
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: String function: 017BEA12 appears 86 times
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: String function: 01785130 appears 58 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 04A07E54 appears 111 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 04A3F290 appears 105 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 049AB970 appears 280 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 049F5130 appears 58 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 04A2EA12 appears 86 times
                Source: Invoice 1425004091.exe, 00000000.00000002.857796394.00000000025CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exe, 00000000.00000002.856819946.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exe, 00000000.00000002.873707364.0000000008520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exe, 00000000.00000002.873590684.00000000082A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exe, 00000000.00000000.844578726.0000000000186000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOgKq.exe( vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exe, 00000000.00000002.857796394.0000000002668000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exe, 00000001.00000002.1327748198.000000000183D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exeBinary or memory string: OriginalFilenameOgKq.exe( vs Invoice 1425004091.exe
                Source: Invoice 1425004091.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Invoice 1425004091.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, UQ0i0lHev5nYnvHtPH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, UQ0i0lHev5nYnvHtPH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, xhnSuHN4lkD8f6pwa5.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, xhnSuHN4lkD8f6pwa5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, xhnSuHN4lkD8f6pwa5.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@15/7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice 1425004091.exe.logJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\dxdiag.exeFile created: C:\Users\user~1\AppData\Local\Temp\20Xb-18Jump to behavior
                Source: Invoice 1425004091.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Invoice 1425004091.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1510518163.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1506595319.0000000002D9F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3316880840.0000000002D9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Invoice 1425004091.exeVirustotal: Detection: 35%
                Source: Invoice 1425004091.exeReversingLabs: Detection: 23%
                Source: unknownProcess created: C:\Users\user\Desktop\Invoice 1425004091.exe "C:\Users\user\Desktop\Invoice 1425004091.exe"
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess created: C:\Users\user\Desktop\Invoice 1425004091.exe "C:\Users\user\Desktop\Invoice 1425004091.exe"
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess created: C:\Users\user\Desktop\Invoice 1425004091.exe "C:\Users\user\Desktop\Invoice 1425004091.exe"Jump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Invoice 1425004091.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Invoice 1425004091.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Invoice 1425004091.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: dxdiag.pdbGCTL source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317181546.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: OgKq.pdbSHA256U source: Invoice 1425004091.exe
                Source: Binary string: wntdll.pdbUGP source: Invoice 1425004091.exe, 00000001.00000002.1327748198.0000000001710000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1324503246.000000000462A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1330956100.00000000047D1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004980000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: dxdiag.pdb source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317181546.000000000095E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Invoice 1425004091.exe, Invoice 1425004091.exe, 00000001.00000002.1327748198.0000000001710000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, dxdiag.exe, 00000005.00000003.1324503246.000000000462A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000003.1330956100.00000000047D1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004B1E000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000005.00000002.3318817875.0000000004980000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: OgKq.pdb source: Invoice 1425004091.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317654473.0000000000DCF000.00000002.00000001.01000000.0000000D.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000000.1395281636.0000000000DCF000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, xhnSuHN4lkD8f6pwa5.cs.Net Code: tUVxLx9vEtGWbWUNgYx System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00402205 push edx; iretd 1_2_00402216
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00402217 push esi; iretd 1_2_00402218
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_004182C3 push esi; iretd 1_2_00418352
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00401AC3 push esi; retf 1_2_00401AD6
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00418334 push esi; iretd 1_2_00418352
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00404BE6 push eax; ret 1_2_00404BE7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_004033A0 push eax; ret 1_2_004033A2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017409AD push ecx; mov dword ptr [esp], ecx1_2_017409B6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049827FA pushad ; ret 5_2_049827F9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_0498225F pushad ; ret 5_2_049827F9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_0498283D push eax; iretd 5_2_04982858
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_049B09AD push ecx; mov dword ptr [esp], ecx5_2_049B09B6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6A2F3 push 1E55D481h; retf 5_2_00A6A321
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6C33A push 4577BC2Fh; ret 5_2_00A6C36E
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6C536 push ecx; retf 5_2_00A6C537
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6287E pushfd ; ret 5_2_00A628A0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A64F91 push esi; iretd 5_2_00A64FAF
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A64F20 push esi; iretd 5_2_00A64FAF
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A51843 push eax; ret 5_2_00A51844
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6BDAA push es; ret 5_2_00A6BDC2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6DE30 pushad ; iretd 5_2_00A6DE43
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6BE38 push 7D3C0A07h; iretd 5_2_00A6BE3D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDC4C5 pushfd ; retf 5_2_04CDC4C6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CD7448 push eax; iretd 5_2_04CD749E
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CD5179 push ss; iretd 5_2_04CD517A
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDC26C push eax; ret 5_2_04CDC26D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDB26A push ss; ret 5_2_04CDB26B
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CE5262 push eax; ret 5_2_04CE5264
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CD522D push eax; iretd 5_2_04CD522E
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CDACAC pushad ; retf 5_2_04CDACB4
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_04CE0C7D push cs; iretd 5_2_04CE0C7E
                Source: Invoice 1425004091.exeStatic PE information: section name: .text entropy: 7.838368909086319
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, TZwGX3iPvsvsJ9H9rb.csHigh entropy of concatenated method names: 'QJnOKAou9V', 'dZnOSVxMwL', 'RDLOuBYa9Z', 'TbfOUBQdpD', 'jWuOVHLJPU', 'rrFONDEyX9', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, RnLvyHhcY6Oy8kkYiI.csHigh entropy of concatenated method names: 'oLYKkMIyvZ', 'eXQKIlCFXy', 'plnKHCvUBX', 'BC9KhfTmrM', 'mN8KP1mPwh', 'BYoKeZ6n3y', 'fvpKxlQdoK', 'JlhKEXwaZK', 'qNDKVVbXSP', 'XekKOihSbk'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, sp385rgxiNS4EJmmwr.csHigh entropy of concatenated method names: 'RPpqHV2m3n', 'qVsqh96LY0', 'L8hqfU35jq', 'esLqdn5Wsi', 'vQMqDH3498', 'CsRq3vlblQ', 'UEfq1Xdx1J', 'knQqCOdbhF', 'M26qatBYqb', 'meMqJZ8Bma'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, kJlxPCWi8fcNtmkjXT.csHigh entropy of concatenated method names: 'zTCUlY2GOr', 'YMIUZQThKU', 'IyyUp4sELk', 'sspUkNHT6M', 'i0RUyYy5UX', 'u7rUIrYDkw', 'qVlUmqcqfS', 'zFyUHsUP06', 'g0SUh9QohH', 'vVjU7dPBBY'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, zvtgUhf8f46HU1Xskj.csHigh entropy of concatenated method names: 'p8nuBjmbRD', 'hArubmuJvq', 'wmouSiqEB5', 'wAouUOBpNM', 'SgRuNKPuQs', 'L3DST5AXRJ', 'd4qSnkH55Y', 'ESwSoGsiXJ', 'ACLSGan5o5', 'BAoSwTFMiJ'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, UQ0i0lHev5nYnvHtPH.csHigh entropy of concatenated method names: 'Fucb2KSjw1', 'i6ybtcyvDR', 'WjUb4fnrB5', 'LgLbr3MtBK', 'bcvbTbsCL7', 'DrobnNVFk7', 'AMEbo0UeXi', 'WMtbG1A15O', 'RBxbwbihwN', 'cgXbi5xnXD'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, AHqSqmYHHTJ0FWuD0m.csHigh entropy of concatenated method names: 'ePTjUQ0i0l', 'pv5jNnYnvH', 'DcYj66Oy8k', 'AYijLIDLvY', 'c0xjPaKpvt', 'PUhje8f46H', 'If9yoNbuD9Mrvpy70U', 'd0Bkano2pdUkvUcGIA', 'Og9jjTEesu', 'vZWjXK0Vey'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, QbEXJMofRKqJRxva5a.csHigh entropy of concatenated method names: 'KZlVPtrZI2', 'th3Vxljx4h', 'BwNVV7UUfJ', 'mvoVQgGwZ9', 'Oc5V5wUkdr', 'AA7VAGiQgU', 'Dispose', 'hNQEsRToA5', 'IRhEbV4OFx', 'cVlEKGAghj'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, jIbxUn4gS3RCcje0q3.csHigh entropy of concatenated method names: 'ToString', 'n9MeJT5K6B', 'btced9AYxy', 'bb0e05YnBU', 'h9weDk2utm', 'iR1e3Wq3XU', 'VPDeRrsy3Z', 'bdZe1iNw82', 'nkQeCcBXKJ', 'jwJeWUU5qV'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, pPq14QbhZL56B8Z8jx.csHigh entropy of concatenated method names: 'Dispose', 'hqJjwRxva5', 'CRdvdaokxe', 'yNRbPWMtUn', 'OAFjin8KSP', 'SUdjzWi8uv', 'ProcessDialogKey', 'q9svcalDxR', 'xxLvjJYkX7', 'e7EvvrZwGX'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, xhnSuHN4lkD8f6pwa5.csHigh entropy of concatenated method names: 'nhhXB2hj4m', 'SHoXst9Ktr', 'heBXbHLf76', 'eA6XK2T45U', 'DJaXSpBJxC', 'JMcXuBQswC', 'WbiXUiyYYv', 'uGTXNMalJF', 'bbiX9bOSSj', 'TvtX6cQo0f'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, JnugWbK45BwHY1N05d.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QmWvwWSHXX', 'tvRvix0IG3', 'Im7vz9CFlJ', 'feIXclPyL2', 'rp8Xje4vGR', 'qRwXvmHCBf', 'KYXXXpgh79', 'WgFdfy9wu5Z6TcHRC81'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, ILvYVd7fGhvcjX0xaK.csHigh entropy of concatenated method names: 'AGtSyUsvLr', 'UkXSmbps8L', 'fyuK0cquod', 'lOpKDEmpPh', 'ddDK3J4b6H', 'SKcKRj6tC8', 'ox5K1KmgaA', 'Dl0KCkTW9g', 'XL7KWWmyn2', 'iAOKamwCFn'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, WY7RbD1d9v2M8aQ0Ph.csHigh entropy of concatenated method names: 'ASDUsFI02g', 'dD1UK2mLUs', 'Y06UusFm77', 'j1auiNPJ8y', 'CrBuzBPfCD', 'eugUcCJoen', 'eC4UjHqMH0', 'Go6Uvew6W3', 'IOSUXGCokI', 'i8NUYm9nMB'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, PVnOUSvERHViGj5nfj.csHigh entropy of concatenated method names: 'RuYpXhZQJ', 'XpKkswCAB', 'tnXI1WUS2', 'liEmIFGvn', 'k5mh7BaLT', 'Hq17YNxYS', 'tihNRK8JHnSRTJZr9M', 'rGO4QyWtb1nR3tOoD1', 'Y6hEGpYKO', 'OpRO9oiIn'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, klWRNojX8dcoaueuFsk.csHigh entropy of concatenated method names: 'H33QiG9cLy', 'THBQzWjbZk', 'FqoMcmVXJN', 'YB28ZaPzGvqsfkh5twU', 'NEWNLUK6xVMCI0WIy5Q', 'Im33bNK9Vqc0t4FlnPZ', 'dBjuNtKlRpM9f6nJ0Ly'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, falDxRwAxLJYkX7Y7E.csHigh entropy of concatenated method names: 'JAAVfqrfhK', 'KGSVd3PmXk', 'j3OV0S0KDv', 'WIJVDurt40', 'CPNV3YhTZx', 'dFNVRPjICv', 'OKuV1SBBAP', 'FKgVCsQMg7', 'q90VWGJGiK', 'copVagNMFO'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, ftXKror1aHMkQZRIyA.csHigh entropy of concatenated method names: 'Rxux6xKUjW', 'NrbxL3lDhb', 'ToString', 's0RxsksSDp', 'pSMxbRbsfa', 'NmNxKhlqRO', 'emtxShUaKJ', 'zkZxuCUclV', 'pNyxUvmGLT', 'XB7xNegEuw'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, kLCcgcjjNTLulV8hmee.csHigh entropy of concatenated method names: 'o79OifwDif', 'CA5OzSaU4y', 'qGDQcoKhsO', 'iaIQjsAWJx', 'uG3Qvn45fT', 'WDJQXnWisQ', 'SsyQYZIHgU', 'teBQBWKXGX', 'Ju7QsolSsl', 'zrJQbTlHkt'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, kBIC46zonbDdPSRPh0.csHigh entropy of concatenated method names: 'H94OIlQgCL', 'YbIOH1FNlx', 'Dn7OhVtoW0', 'Kx8OfYaWMi', 'tfHOdcdcOq', 'KPjODRibUM', 'hC4O39gtBk', 'YLROA9mj7e', 'FuJOlTUsv6', 'XOPOZApp8v'
                Source: 0.2.Invoice 1425004091.exe.8520000.4.raw.unpack, T6paDvjYQurEnbrMvFB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JTkMVnqRVq', 'FS0MO6vkN1', 'DbHMQ6q7Nk', 'mBoMMXLodC', 'iDhM5l8MLy', 'AeXM8rmmUX', 'DpqMAF0Qi5'
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60D324
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60D7E4
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60D944
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60D504
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60D544
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60D1E4
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B610154
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFC1B60DA44
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: 86B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: 96B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: 98B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: A8B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178096E rdtsc 1_2_0178096E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeWindow / User API: threadDelayed 9779Jump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\Invoice 1425004091.exe TID: 5448Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exe TID: 3560Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7280Thread sleep count: 194 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7280Thread sleep time: -388000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7280Thread sleep count: 9779 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7280Thread sleep time: -19558000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe TID: 7316Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe TID: 7316Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe TID: 7316Thread sleep time: -49500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe TID: 7316Thread sleep count: 40 > 30Jump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe TID: 7316Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\dxdiag.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 5_2_00A6C9E0 FindFirstFileW,FindNextFileW,FindClose,5_2_00A6C9E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CDYNVMware20,11696492231p
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 20Xb-18.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 20Xb-18.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 20Xb-18.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: Invoice 1425004091.exe, 00000000.00000002.873707364.0000000008520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: NEWNLUK6xVMCI0WIy5Q
                Source: 20Xb-18.5.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 20Xb-18.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,1169649'K
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 20Xb-18.5.drBinary or memory string: discord.comVMware20,11696492231f
                Source: dxdiag.exe, 00000005.00000002.3316880840.0000000002D2B000.00000004.00000020.00020000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3317618017.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.1620391120.0000028BC7E8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 20Xb-18.5.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 20Xb-18.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 20Xb-18.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 20Xb-18.5.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 20Xb-18.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 20Xb-18.5.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lobal passwords blocklistVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re.comVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 20Xb-18.5.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: dxdiag.exe, 00000005.00000002.3321530729.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,1169649sK
                Source: 20Xb-18.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 20Xb-18.5.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 20Xb-18.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 20Xb-18.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178096E rdtsc 1_2_0178096E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_00417CF3 LdrLoadDll,1_2_00417CF3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746154 mov eax, dword ptr fs:[00000030h]1_2_01746154
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746154 mov eax, dword ptr fs:[00000030h]1_2_01746154
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173C156 mov eax, dword ptr fs:[00000030h]1_2_0173C156
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D8158 mov eax, dword ptr fs:[00000030h]1_2_017D8158
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D4144 mov eax, dword ptr fs:[00000030h]1_2_017D4144
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D4144 mov eax, dword ptr fs:[00000030h]1_2_017D4144
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D4144 mov ecx, dword ptr fs:[00000030h]1_2_017D4144
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D4144 mov eax, dword ptr fs:[00000030h]1_2_017D4144
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D4144 mov eax, dword ptr fs:[00000030h]1_2_017D4144
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018061C3 mov eax, dword ptr fs:[00000030h]1_2_018061C3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018061C3 mov eax, dword ptr fs:[00000030h]1_2_018061C3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01770124 mov eax, dword ptr fs:[00000030h]1_2_01770124
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018161E5 mov eax, dword ptr fs:[00000030h]1_2_018161E5
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EA118 mov ecx, dword ptr fs:[00000030h]1_2_017EA118
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EA118 mov eax, dword ptr fs:[00000030h]1_2_017EA118
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EA118 mov eax, dword ptr fs:[00000030h]1_2_017EA118
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EA118 mov eax, dword ptr fs:[00000030h]1_2_017EA118
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov eax, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov ecx, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov eax, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov eax, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov ecx, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov eax, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov eax, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov ecx, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov eax, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE10E mov ecx, dword ptr fs:[00000030h]1_2_017EE10E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017701F8 mov eax, dword ptr fs:[00000030h]1_2_017701F8
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01800115 mov eax, dword ptr fs:[00000030h]1_2_01800115
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE1D0 mov eax, dword ptr fs:[00000030h]1_2_017BE1D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE1D0 mov eax, dword ptr fs:[00000030h]1_2_017BE1D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE1D0 mov ecx, dword ptr fs:[00000030h]1_2_017BE1D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE1D0 mov eax, dword ptr fs:[00000030h]1_2_017BE1D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE1D0 mov eax, dword ptr fs:[00000030h]1_2_017BE1D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C019F mov eax, dword ptr fs:[00000030h]1_2_017C019F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C019F mov eax, dword ptr fs:[00000030h]1_2_017C019F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C019F mov eax, dword ptr fs:[00000030h]1_2_017C019F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C019F mov eax, dword ptr fs:[00000030h]1_2_017C019F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173A197 mov eax, dword ptr fs:[00000030h]1_2_0173A197
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173A197 mov eax, dword ptr fs:[00000030h]1_2_0173A197
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173A197 mov eax, dword ptr fs:[00000030h]1_2_0173A197
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FC188 mov eax, dword ptr fs:[00000030h]1_2_017FC188
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FC188 mov eax, dword ptr fs:[00000030h]1_2_017FC188
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01780185 mov eax, dword ptr fs:[00000030h]1_2_01780185
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E4180 mov eax, dword ptr fs:[00000030h]1_2_017E4180
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E4180 mov eax, dword ptr fs:[00000030h]1_2_017E4180
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176C073 mov eax, dword ptr fs:[00000030h]1_2_0176C073
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01742050 mov eax, dword ptr fs:[00000030h]1_2_01742050
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6050 mov eax, dword ptr fs:[00000030h]1_2_017C6050
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018060B8 mov eax, dword ptr fs:[00000030h]1_2_018060B8
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018060B8 mov ecx, dword ptr fs:[00000030h]1_2_018060B8
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D6030 mov eax, dword ptr fs:[00000030h]1_2_017D6030
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173A020 mov eax, dword ptr fs:[00000030h]1_2_0173A020
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173C020 mov eax, dword ptr fs:[00000030h]1_2_0173C020
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E016 mov eax, dword ptr fs:[00000030h]1_2_0175E016
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E016 mov eax, dword ptr fs:[00000030h]1_2_0175E016
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E016 mov eax, dword ptr fs:[00000030h]1_2_0175E016
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E016 mov eax, dword ptr fs:[00000030h]1_2_0175E016
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C4000 mov ecx, dword ptr fs:[00000030h]1_2_017C4000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E2000 mov eax, dword ptr fs:[00000030h]1_2_017E2000
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173C0F0 mov eax, dword ptr fs:[00000030h]1_2_0173C0F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017820F0 mov ecx, dword ptr fs:[00000030h]1_2_017820F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0173A0E3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C60E0 mov eax, dword ptr fs:[00000030h]1_2_017C60E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017480E9 mov eax, dword ptr fs:[00000030h]1_2_017480E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C20DE mov eax, dword ptr fs:[00000030h]1_2_017C20DE
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D80A8 mov eax, dword ptr fs:[00000030h]1_2_017D80A8
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174208A mov eax, dword ptr fs:[00000030h]1_2_0174208A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E437C mov eax, dword ptr fs:[00000030h]1_2_017E437C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C035C mov eax, dword ptr fs:[00000030h]1_2_017C035C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C035C mov eax, dword ptr fs:[00000030h]1_2_017C035C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C035C mov eax, dword ptr fs:[00000030h]1_2_017C035C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C035C mov ecx, dword ptr fs:[00000030h]1_2_017C035C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C035C mov eax, dword ptr fs:[00000030h]1_2_017C035C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C035C mov eax, dword ptr fs:[00000030h]1_2_017C035C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E8350 mov ecx, dword ptr fs:[00000030h]1_2_017E8350
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C2349 mov eax, dword ptr fs:[00000030h]1_2_017C2349
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173C310 mov ecx, dword ptr fs:[00000030h]1_2_0173C310
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01760310 mov ecx, dword ptr fs:[00000030h]1_2_01760310
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A30B mov eax, dword ptr fs:[00000030h]1_2_0177A30B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A30B mov eax, dword ptr fs:[00000030h]1_2_0177A30B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A30B mov eax, dword ptr fs:[00000030h]1_2_0177A30B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E3F0 mov eax, dword ptr fs:[00000030h]1_2_0175E3F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E3F0 mov eax, dword ptr fs:[00000030h]1_2_0175E3F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E3F0 mov eax, dword ptr fs:[00000030h]1_2_0175E3F0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017763FF mov eax, dword ptr fs:[00000030h]1_2_017763FF
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017503E9 mov eax, dword ptr fs:[00000030h]1_2_017503E9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE3DB mov eax, dword ptr fs:[00000030h]1_2_017EE3DB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE3DB mov eax, dword ptr fs:[00000030h]1_2_017EE3DB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE3DB mov ecx, dword ptr fs:[00000030h]1_2_017EE3DB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EE3DB mov eax, dword ptr fs:[00000030h]1_2_017EE3DB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E43D4 mov eax, dword ptr fs:[00000030h]1_2_017E43D4
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E43D4 mov eax, dword ptr fs:[00000030h]1_2_017E43D4
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FC3CD mov eax, dword ptr fs:[00000030h]1_2_017FC3CD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A3C0 mov eax, dword ptr fs:[00000030h]1_2_0174A3C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A3C0 mov eax, dword ptr fs:[00000030h]1_2_0174A3C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A3C0 mov eax, dword ptr fs:[00000030h]1_2_0174A3C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A3C0 mov eax, dword ptr fs:[00000030h]1_2_0174A3C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A3C0 mov eax, dword ptr fs:[00000030h]1_2_0174A3C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A3C0 mov eax, dword ptr fs:[00000030h]1_2_0174A3C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017483C0 mov eax, dword ptr fs:[00000030h]1_2_017483C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017483C0 mov eax, dword ptr fs:[00000030h]1_2_017483C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017483C0 mov eax, dword ptr fs:[00000030h]1_2_017483C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017483C0 mov eax, dword ptr fs:[00000030h]1_2_017483C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C63C0 mov eax, dword ptr fs:[00000030h]1_2_017C63C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180A352 mov eax, dword ptr fs:[00000030h]1_2_0180A352
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01738397 mov eax, dword ptr fs:[00000030h]1_2_01738397
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01738397 mov eax, dword ptr fs:[00000030h]1_2_01738397
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01738397 mov eax, dword ptr fs:[00000030h]1_2_01738397
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176438F mov eax, dword ptr fs:[00000030h]1_2_0176438F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176438F mov eax, dword ptr fs:[00000030h]1_2_0176438F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173E388 mov eax, dword ptr fs:[00000030h]1_2_0173E388
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173E388 mov eax, dword ptr fs:[00000030h]1_2_0173E388
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173E388 mov eax, dword ptr fs:[00000030h]1_2_0173E388
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F0274 mov eax, dword ptr fs:[00000030h]1_2_017F0274
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744260 mov eax, dword ptr fs:[00000030h]1_2_01744260
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744260 mov eax, dword ptr fs:[00000030h]1_2_01744260
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744260 mov eax, dword ptr fs:[00000030h]1_2_01744260
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173826B mov eax, dword ptr fs:[00000030h]1_2_0173826B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173A250 mov eax, dword ptr fs:[00000030h]1_2_0173A250
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746259 mov eax, dword ptr fs:[00000030h]1_2_01746259
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FA250 mov eax, dword ptr fs:[00000030h]1_2_017FA250
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FA250 mov eax, dword ptr fs:[00000030h]1_2_017FA250
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C8243 mov eax, dword ptr fs:[00000030h]1_2_017C8243
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C8243 mov ecx, dword ptr fs:[00000030h]1_2_017C8243
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173823B mov eax, dword ptr fs:[00000030h]1_2_0173823B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017502E1 mov eax, dword ptr fs:[00000030h]1_2_017502E1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017502E1 mov eax, dword ptr fs:[00000030h]1_2_017502E1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017502E1 mov eax, dword ptr fs:[00000030h]1_2_017502E1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017502A0 mov eax, dword ptr fs:[00000030h]1_2_017502A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017502A0 mov eax, dword ptr fs:[00000030h]1_2_017502A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D62A0 mov eax, dword ptr fs:[00000030h]1_2_017D62A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D62A0 mov ecx, dword ptr fs:[00000030h]1_2_017D62A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D62A0 mov eax, dword ptr fs:[00000030h]1_2_017D62A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D62A0 mov eax, dword ptr fs:[00000030h]1_2_017D62A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D62A0 mov eax, dword ptr fs:[00000030h]1_2_017D62A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D62A0 mov eax, dword ptr fs:[00000030h]1_2_017D62A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E284 mov eax, dword ptr fs:[00000030h]1_2_0177E284
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E284 mov eax, dword ptr fs:[00000030h]1_2_0177E284
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C0283 mov eax, dword ptr fs:[00000030h]1_2_017C0283
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C0283 mov eax, dword ptr fs:[00000030h]1_2_017C0283
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C0283 mov eax, dword ptr fs:[00000030h]1_2_017C0283
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177656A mov eax, dword ptr fs:[00000030h]1_2_0177656A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177656A mov eax, dword ptr fs:[00000030h]1_2_0177656A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177656A mov eax, dword ptr fs:[00000030h]1_2_0177656A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748550 mov eax, dword ptr fs:[00000030h]1_2_01748550
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748550 mov eax, dword ptr fs:[00000030h]1_2_01748550
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750535 mov eax, dword ptr fs:[00000030h]1_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750535 mov eax, dword ptr fs:[00000030h]1_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750535 mov eax, dword ptr fs:[00000030h]1_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750535 mov eax, dword ptr fs:[00000030h]1_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750535 mov eax, dword ptr fs:[00000030h]1_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750535 mov eax, dword ptr fs:[00000030h]1_2_01750535
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E53E mov eax, dword ptr fs:[00000030h]1_2_0176E53E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E53E mov eax, dword ptr fs:[00000030h]1_2_0176E53E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E53E mov eax, dword ptr fs:[00000030h]1_2_0176E53E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E53E mov eax, dword ptr fs:[00000030h]1_2_0176E53E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E53E mov eax, dword ptr fs:[00000030h]1_2_0176E53E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D6500 mov eax, dword ptr fs:[00000030h]1_2_017D6500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814500 mov eax, dword ptr fs:[00000030h]1_2_01814500
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E5E7 mov eax, dword ptr fs:[00000030h]1_2_0176E5E7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017425E0 mov eax, dword ptr fs:[00000030h]1_2_017425E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C5ED mov eax, dword ptr fs:[00000030h]1_2_0177C5ED
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C5ED mov eax, dword ptr fs:[00000030h]1_2_0177C5ED
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017465D0 mov eax, dword ptr fs:[00000030h]1_2_017465D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A5D0 mov eax, dword ptr fs:[00000030h]1_2_0177A5D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A5D0 mov eax, dword ptr fs:[00000030h]1_2_0177A5D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E5CF mov eax, dword ptr fs:[00000030h]1_2_0177E5CF
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E5CF mov eax, dword ptr fs:[00000030h]1_2_0177E5CF
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017645B1 mov eax, dword ptr fs:[00000030h]1_2_017645B1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017645B1 mov eax, dword ptr fs:[00000030h]1_2_017645B1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C05A7 mov eax, dword ptr fs:[00000030h]1_2_017C05A7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C05A7 mov eax, dword ptr fs:[00000030h]1_2_017C05A7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C05A7 mov eax, dword ptr fs:[00000030h]1_2_017C05A7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E59C mov eax, dword ptr fs:[00000030h]1_2_0177E59C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01742582 mov eax, dword ptr fs:[00000030h]1_2_01742582
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01742582 mov ecx, dword ptr fs:[00000030h]1_2_01742582
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01774588 mov eax, dword ptr fs:[00000030h]1_2_01774588
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176A470 mov eax, dword ptr fs:[00000030h]1_2_0176A470
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176A470 mov eax, dword ptr fs:[00000030h]1_2_0176A470
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176A470 mov eax, dword ptr fs:[00000030h]1_2_0176A470
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CC460 mov ecx, dword ptr fs:[00000030h]1_2_017CC460
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FA456 mov eax, dword ptr fs:[00000030h]1_2_017FA456
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176245A mov eax, dword ptr fs:[00000030h]1_2_0176245A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173645D mov eax, dword ptr fs:[00000030h]1_2_0173645D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177E443 mov eax, dword ptr fs:[00000030h]1_2_0177E443
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A430 mov eax, dword ptr fs:[00000030h]1_2_0177A430
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173E420 mov eax, dword ptr fs:[00000030h]1_2_0173E420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173E420 mov eax, dword ptr fs:[00000030h]1_2_0173E420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173E420 mov eax, dword ptr fs:[00000030h]1_2_0173E420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173C427 mov eax, dword ptr fs:[00000030h]1_2_0173C427
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C6420 mov eax, dword ptr fs:[00000030h]1_2_017C6420
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01778402 mov eax, dword ptr fs:[00000030h]1_2_01778402
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01778402 mov eax, dword ptr fs:[00000030h]1_2_01778402
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01778402 mov eax, dword ptr fs:[00000030h]1_2_01778402
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017404E5 mov ecx, dword ptr fs:[00000030h]1_2_017404E5
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017744B0 mov ecx, dword ptr fs:[00000030h]1_2_017744B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CA4B0 mov eax, dword ptr fs:[00000030h]1_2_017CA4B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017464AB mov eax, dword ptr fs:[00000030h]1_2_017464AB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017FA49A mov eax, dword ptr fs:[00000030h]1_2_017FA49A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748770 mov eax, dword ptr fs:[00000030h]1_2_01748770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750770 mov eax, dword ptr fs:[00000030h]1_2_01750770
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CE75D mov eax, dword ptr fs:[00000030h]1_2_017CE75D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740750 mov eax, dword ptr fs:[00000030h]1_2_01740750
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782750 mov eax, dword ptr fs:[00000030h]1_2_01782750
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782750 mov eax, dword ptr fs:[00000030h]1_2_01782750
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C4755 mov eax, dword ptr fs:[00000030h]1_2_017C4755
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177674D mov esi, dword ptr fs:[00000030h]1_2_0177674D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177674D mov eax, dword ptr fs:[00000030h]1_2_0177674D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177674D mov eax, dword ptr fs:[00000030h]1_2_0177674D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177273C mov eax, dword ptr fs:[00000030h]1_2_0177273C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177273C mov ecx, dword ptr fs:[00000030h]1_2_0177273C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177273C mov eax, dword ptr fs:[00000030h]1_2_0177273C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BC730 mov eax, dword ptr fs:[00000030h]1_2_017BC730
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C720 mov eax, dword ptr fs:[00000030h]1_2_0177C720
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C720 mov eax, dword ptr fs:[00000030h]1_2_0177C720
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740710 mov eax, dword ptr fs:[00000030h]1_2_01740710
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01770710 mov eax, dword ptr fs:[00000030h]1_2_01770710
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C700 mov eax, dword ptr fs:[00000030h]1_2_0177C700
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017447FB mov eax, dword ptr fs:[00000030h]1_2_017447FB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017447FB mov eax, dword ptr fs:[00000030h]1_2_017447FB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017627ED mov eax, dword ptr fs:[00000030h]1_2_017627ED
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017627ED mov eax, dword ptr fs:[00000030h]1_2_017627ED
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017627ED mov eax, dword ptr fs:[00000030h]1_2_017627ED
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CE7E1 mov eax, dword ptr fs:[00000030h]1_2_017CE7E1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174C7C0 mov eax, dword ptr fs:[00000030h]1_2_0174C7C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C07C3 mov eax, dword ptr fs:[00000030h]1_2_017C07C3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017407AF mov eax, dword ptr fs:[00000030h]1_2_017407AF
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F47A0 mov eax, dword ptr fs:[00000030h]1_2_017F47A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E678E mov eax, dword ptr fs:[00000030h]1_2_017E678E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01772674 mov eax, dword ptr fs:[00000030h]1_2_01772674
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A660 mov eax, dword ptr fs:[00000030h]1_2_0177A660
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A660 mov eax, dword ptr fs:[00000030h]1_2_0177A660
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175C640 mov eax, dword ptr fs:[00000030h]1_2_0175C640
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175E627 mov eax, dword ptr fs:[00000030h]1_2_0175E627
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01776620 mov eax, dword ptr fs:[00000030h]1_2_01776620
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01778620 mov eax, dword ptr fs:[00000030h]1_2_01778620
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174262C mov eax, dword ptr fs:[00000030h]1_2_0174262C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01782619 mov eax, dword ptr fs:[00000030h]1_2_01782619
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE609 mov eax, dword ptr fs:[00000030h]1_2_017BE609
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0175260B mov eax, dword ptr fs:[00000030h]1_2_0175260B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE6F2 mov eax, dword ptr fs:[00000030h]1_2_017BE6F2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE6F2 mov eax, dword ptr fs:[00000030h]1_2_017BE6F2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE6F2 mov eax, dword ptr fs:[00000030h]1_2_017BE6F2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE6F2 mov eax, dword ptr fs:[00000030h]1_2_017BE6F2
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C06F1 mov eax, dword ptr fs:[00000030h]1_2_017C06F1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C06F1 mov eax, dword ptr fs:[00000030h]1_2_017C06F1
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0177A6C7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A6C7 mov eax, dword ptr fs:[00000030h]1_2_0177A6C7
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017766B0 mov eax, dword ptr fs:[00000030h]1_2_017766B0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C6A6 mov eax, dword ptr fs:[00000030h]1_2_0177C6A6
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744690 mov eax, dword ptr fs:[00000030h]1_2_01744690
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744690 mov eax, dword ptr fs:[00000030h]1_2_01744690
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180866E mov eax, dword ptr fs:[00000030h]1_2_0180866E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180866E mov eax, dword ptr fs:[00000030h]1_2_0180866E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CC97C mov eax, dword ptr fs:[00000030h]1_2_017CC97C
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E4978 mov eax, dword ptr fs:[00000030h]1_2_017E4978
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E4978 mov eax, dword ptr fs:[00000030h]1_2_017E4978
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01766962 mov eax, dword ptr fs:[00000030h]1_2_01766962
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01766962 mov eax, dword ptr fs:[00000030h]1_2_01766962
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01766962 mov eax, dword ptr fs:[00000030h]1_2_01766962
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178096E mov eax, dword ptr fs:[00000030h]1_2_0178096E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178096E mov edx, dword ptr fs:[00000030h]1_2_0178096E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0178096E mov eax, dword ptr fs:[00000030h]1_2_0178096E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C0946 mov eax, dword ptr fs:[00000030h]1_2_017C0946
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180A9D3 mov eax, dword ptr fs:[00000030h]1_2_0180A9D3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C892A mov eax, dword ptr fs:[00000030h]1_2_017C892A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D892B mov eax, dword ptr fs:[00000030h]1_2_017D892B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01738918 mov eax, dword ptr fs:[00000030h]1_2_01738918
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01738918 mov eax, dword ptr fs:[00000030h]1_2_01738918
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CC912 mov eax, dword ptr fs:[00000030h]1_2_017CC912
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE908 mov eax, dword ptr fs:[00000030h]1_2_017BE908
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BE908 mov eax, dword ptr fs:[00000030h]1_2_017BE908
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017729F9 mov eax, dword ptr fs:[00000030h]1_2_017729F9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017729F9 mov eax, dword ptr fs:[00000030h]1_2_017729F9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CE9E0 mov eax, dword ptr fs:[00000030h]1_2_017CE9E0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A9D0 mov eax, dword ptr fs:[00000030h]1_2_0174A9D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A9D0 mov eax, dword ptr fs:[00000030h]1_2_0174A9D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A9D0 mov eax, dword ptr fs:[00000030h]1_2_0174A9D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A9D0 mov eax, dword ptr fs:[00000030h]1_2_0174A9D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A9D0 mov eax, dword ptr fs:[00000030h]1_2_0174A9D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174A9D0 mov eax, dword ptr fs:[00000030h]1_2_0174A9D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017749D0 mov eax, dword ptr fs:[00000030h]1_2_017749D0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D69C0 mov eax, dword ptr fs:[00000030h]1_2_017D69C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C89B3 mov esi, dword ptr fs:[00000030h]1_2_017C89B3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C89B3 mov eax, dword ptr fs:[00000030h]1_2_017C89B3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017C89B3 mov eax, dword ptr fs:[00000030h]1_2_017C89B3
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017529A0 mov eax, dword ptr fs:[00000030h]1_2_017529A0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017409AD mov eax, dword ptr fs:[00000030h]1_2_017409AD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017409AD mov eax, dword ptr fs:[00000030h]1_2_017409AD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D6870 mov eax, dword ptr fs:[00000030h]1_2_017D6870
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D6870 mov eax, dword ptr fs:[00000030h]1_2_017D6870
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CE872 mov eax, dword ptr fs:[00000030h]1_2_017CE872
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CE872 mov eax, dword ptr fs:[00000030h]1_2_017CE872
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01770854 mov eax, dword ptr fs:[00000030h]1_2_01770854
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744859 mov eax, dword ptr fs:[00000030h]1_2_01744859
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01744859 mov eax, dword ptr fs:[00000030h]1_2_01744859
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01752840 mov ecx, dword ptr fs:[00000030h]1_2_01752840
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_018108C0 mov eax, dword ptr fs:[00000030h]1_2_018108C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762835 mov eax, dword ptr fs:[00000030h]1_2_01762835
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762835 mov eax, dword ptr fs:[00000030h]1_2_01762835
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762835 mov eax, dword ptr fs:[00000030h]1_2_01762835
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762835 mov ecx, dword ptr fs:[00000030h]1_2_01762835
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762835 mov eax, dword ptr fs:[00000030h]1_2_01762835
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01762835 mov eax, dword ptr fs:[00000030h]1_2_01762835
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E483A mov eax, dword ptr fs:[00000030h]1_2_017E483A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E483A mov eax, dword ptr fs:[00000030h]1_2_017E483A
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177A830 mov eax, dword ptr fs:[00000030h]1_2_0177A830
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180A8E4 mov eax, dword ptr fs:[00000030h]1_2_0180A8E4
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CC810 mov eax, dword ptr fs:[00000030h]1_2_017CC810
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C8F9 mov eax, dword ptr fs:[00000030h]1_2_0177C8F9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177C8F9 mov eax, dword ptr fs:[00000030h]1_2_0177C8F9
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176E8C0 mov eax, dword ptr fs:[00000030h]1_2_0176E8C0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CC89D mov eax, dword ptr fs:[00000030h]1_2_017CC89D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740887 mov eax, dword ptr fs:[00000030h]1_2_01740887
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0173CB7E mov eax, dword ptr fs:[00000030h]1_2_0173CB7E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EEB50 mov eax, dword ptr fs:[00000030h]1_2_017EEB50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F4B4B mov eax, dword ptr fs:[00000030h]1_2_017F4B4B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F4B4B mov eax, dword ptr fs:[00000030h]1_2_017F4B4B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017E8B42 mov eax, dword ptr fs:[00000030h]1_2_017E8B42
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D6B40 mov eax, dword ptr fs:[00000030h]1_2_017D6B40
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D6B40 mov eax, dword ptr fs:[00000030h]1_2_017D6B40
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176EB20 mov eax, dword ptr fs:[00000030h]1_2_0176EB20
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176EB20 mov eax, dword ptr fs:[00000030h]1_2_0176EB20
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BEB1D mov eax, dword ptr fs:[00000030h]1_2_017BEB1D
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748BF0 mov eax, dword ptr fs:[00000030h]1_2_01748BF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748BF0 mov eax, dword ptr fs:[00000030h]1_2_01748BF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748BF0 mov eax, dword ptr fs:[00000030h]1_2_01748BF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176EBFC mov eax, dword ptr fs:[00000030h]1_2_0176EBFC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CCBF0 mov eax, dword ptr fs:[00000030h]1_2_017CCBF0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01808B28 mov eax, dword ptr fs:[00000030h]1_2_01808B28
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01808B28 mov eax, dword ptr fs:[00000030h]1_2_01808B28
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EEBD0 mov eax, dword ptr fs:[00000030h]1_2_017EEBD0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740BCD mov eax, dword ptr fs:[00000030h]1_2_01740BCD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740BCD mov eax, dword ptr fs:[00000030h]1_2_01740BCD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740BCD mov eax, dword ptr fs:[00000030h]1_2_01740BCD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01760BCB mov eax, dword ptr fs:[00000030h]1_2_01760BCB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01760BCB mov eax, dword ptr fs:[00000030h]1_2_01760BCB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01760BCB mov eax, dword ptr fs:[00000030h]1_2_01760BCB
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0180AB40 mov eax, dword ptr fs:[00000030h]1_2_0180AB40
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750BBE mov eax, dword ptr fs:[00000030h]1_2_01750BBE
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750BBE mov eax, dword ptr fs:[00000030h]1_2_01750BBE
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F4BB0 mov eax, dword ptr fs:[00000030h]1_2_017F4BB0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017F4BB0 mov eax, dword ptr fs:[00000030h]1_2_017F4BB0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814A80 mov eax, dword ptr fs:[00000030h]1_2_01814A80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BCA72 mov eax, dword ptr fs:[00000030h]1_2_017BCA72
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017BCA72 mov eax, dword ptr fs:[00000030h]1_2_017BCA72
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177CA6F mov eax, dword ptr fs:[00000030h]1_2_0177CA6F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177CA6F mov eax, dword ptr fs:[00000030h]1_2_0177CA6F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177CA6F mov eax, dword ptr fs:[00000030h]1_2_0177CA6F
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017EEA60 mov eax, dword ptr fs:[00000030h]1_2_017EEA60
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01746A50 mov eax, dword ptr fs:[00000030h]1_2_01746A50
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750A5B mov eax, dword ptr fs:[00000030h]1_2_01750A5B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01750A5B mov eax, dword ptr fs:[00000030h]1_2_01750A5B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01764A35 mov eax, dword ptr fs:[00000030h]1_2_01764A35
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01764A35 mov eax, dword ptr fs:[00000030h]1_2_01764A35
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177CA38 mov eax, dword ptr fs:[00000030h]1_2_0177CA38
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177CA24 mov eax, dword ptr fs:[00000030h]1_2_0177CA24
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0176EA2E mov eax, dword ptr fs:[00000030h]1_2_0176EA2E
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017CCA11 mov eax, dword ptr fs:[00000030h]1_2_017CCA11
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177AAEE mov eax, dword ptr fs:[00000030h]1_2_0177AAEE
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0177AAEE mov eax, dword ptr fs:[00000030h]1_2_0177AAEE
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740AD0 mov eax, dword ptr fs:[00000030h]1_2_01740AD0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01774AD0 mov eax, dword ptr fs:[00000030h]1_2_01774AD0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01774AD0 mov eax, dword ptr fs:[00000030h]1_2_01774AD0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01796ACC mov eax, dword ptr fs:[00000030h]1_2_01796ACC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01796ACC mov eax, dword ptr fs:[00000030h]1_2_01796ACC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01796ACC mov eax, dword ptr fs:[00000030h]1_2_01796ACC
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748AA0 mov eax, dword ptr fs:[00000030h]1_2_01748AA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748AA0 mov eax, dword ptr fs:[00000030h]1_2_01748AA0
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01796AA4 mov eax, dword ptr fs:[00000030h]1_2_01796AA4
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01778A90 mov edx, dword ptr fs:[00000030h]1_2_01778A90
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_0174EA80 mov eax, dword ptr fs:[00000030h]1_2_0174EA80
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_017D8D6B mov eax, dword ptr fs:[00000030h]1_2_017D8D6B
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01814DAD mov eax, dword ptr fs:[00000030h]1_2_01814DAD
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740D59 mov eax, dword ptr fs:[00000030h]1_2_01740D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740D59 mov eax, dword ptr fs:[00000030h]1_2_01740D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01740D59 mov eax, dword ptr fs:[00000030h]1_2_01740D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748D59 mov eax, dword ptr fs:[00000030h]1_2_01748D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748D59 mov eax, dword ptr fs:[00000030h]1_2_01748D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748D59 mov eax, dword ptr fs:[00000030h]1_2_01748D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748D59 mov eax, dword ptr fs:[00000030h]1_2_01748D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01748D59 mov eax, dword ptr fs:[00000030h]1_2_01748D59
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeCode function: 1_2_01808DAE mov eax, dword ptr fs:[00000030h]1_2_01808DAE
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtQueryVolumeInformationFile: Direct from: 0x776D2F2CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtQuerySystemInformation: Direct from: 0x776D48CCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtAllocateVirtualMemory: Direct from: 0x776D48ECJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtOpenSection: Direct from: 0x776D2E0CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtDeviceIoControlFile: Direct from: 0x776D2AECJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtAllocateVirtualMemory: Direct from: 0x776D2BECJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtQueryInformationProcess: Direct from: 0x776D2C26Jump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtResumeThread: Direct from: 0x776D2FBCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtWriteVirtualMemory: Direct from: 0x776D490CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtCreateUserProcess: Direct from: 0x776D371CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtClose: Direct from: 0x776D2B6C
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtAllocateVirtualMemory: Direct from: 0x776D3C9CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtSetInformationThread: Direct from: 0x776C63F9Jump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtQueryAttributesFile: Direct from: 0x776D2E6CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtSetInformationThread: Direct from: 0x776D2B4CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtReadVirtualMemory: Direct from: 0x776D2E8CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtCreateKey: Direct from: 0x776D2C6CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtResumeThread: Direct from: 0x776D36ACJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtMapViewOfSection: Direct from: 0x776D2D1CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtWriteVirtualMemory: Direct from: 0x776D2E3CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtCreateMutant: Direct from: 0x776D35CCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtAllocateVirtualMemory: Direct from: 0x776D2BFCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtProtectVirtualMemory: Direct from: 0x776C7B2EJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtDelayExecution: Direct from: 0x776D2DDCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtQuerySystemInformation: Direct from: 0x776D2DFCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtReadFile: Direct from: 0x776D2ADCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtQueryInformationToken: Direct from: 0x776D2CACJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtCreateFile: Direct from: 0x776D2FECJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtOpenFile: Direct from: 0x776D2DCCJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtOpenKeyEx: Direct from: 0x776D2B9CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtNotifyChangeKey: Direct from: 0x776D3C2CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtSetInformationProcess: Direct from: 0x776D2C5CJump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeNtProtectVirtualMemory: Direct from: 0x776D2F9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeMemory written: C:\Users\user\Desktop\Invoice 1425004091.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: NULL target: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeSection loaded: NULL target: C:\Windows\SysWOW64\dxdiag.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\dxdiag.exeThread register set: target process: 7376Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\dxdiag.exeThread APC queued: target process: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeProcess created: C:\Users\user\Desktop\Invoice 1425004091.exe "C:\Users\user\Desktop\Invoice 1425004091.exe"Jump to behavior
                Source: C:\Program Files (x86)\zKmOrXvviFxVauJoTYcytUXvkOeQOlfCBPLqKfgXAuTltYsgJCkRwsAZ\VSYBJyfGvx9hmVCehuRluIy.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000000.1248840947.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317939510.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3318448707.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000000.1248840947.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317939510.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3318448707.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000000.1248840947.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317939510.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3318448707.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000000.1248840947.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 00000004.00000002.3317939510.0000000000FF0000.00000002.00000001.00040000.00000000.sdmp, VSYBJyfGvx9hmVCehuRluIy.exe, 0000000C.00000002.3318448707.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeQueries volume information: C:\Users\user\Desktop\Invoice 1425004091.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Invoice 1425004091.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3318682670.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1325406897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1331760205.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3320610474.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3316270446.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3318732161.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1329547108.0000000001A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3318435329.0000000002720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\dxdiag.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Invoice 1425004091.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3318682670.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1325406897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1331760205.00000000037D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3320610474.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3316270446.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3318732161.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1329547108.0000000001A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3318435329.0000000002720000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640450 Sample: Invoice 1425004091.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 31 www.tether1.xyz 2->31 33 www.bawiin.xyz 2->33 35 15 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 4 other signatures 2->53 10 Invoice 1425004091.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 29 C:\Users\user\...\Invoice 1425004091.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 Invoice 1425004091.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 VSYBJyfGvx9hmVCehuRluIy.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 dxdiag.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 VSYBJyfGvx9hmVCehuRluIy.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.tether1.xyz 188.114.97.3, 49725, 49726, 49727 CLOUDFLARENETUS European Union 23->37 39 9889.bodis.com 199.59.243.228, 49713, 49714, 49715 BODIS-NJUS United States 23->39 41 5 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.