Loading ...

Play interactive tourEdit tour

Analysis Report invoice pdf.exe

Overview

General Information

Sample Name:invoice pdf.exe
Analysis ID:403525
MD5:0f14a940f2fb7ae9a30b2f0079b13630
SHA1:183f706b9e8ebfa0f2c412477bed2fb4e798f35d
SHA256:910f9987b35db8d13a06bb8feae8274601bb8afcdca3afcfed64ca8a66f498a4
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • invoice pdf.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\invoice pdf.exe' MD5: 0F14A940F2FB7AE9A30B2F0079B13630)
    • powershell.exe (PID: 2232 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\invoice pdf.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5928 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LXAiHtFKpy.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4720 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LXAiHtFKpy' /XML 'C:\Users\user\AppData\Local\Temp\tmpF83F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6124 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\LXAiHtFKpy.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • invoice pdf.exe (PID: 4248 cmdline: C:\Users\user\Desktop\invoice pdf.exe MD5: 0F14A940F2FB7AE9A30B2F0079B13630)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.608328065.0000000005BF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x2205:$x1: NanoCore.ClientPluginHost
  • 0x223e:$x2: IClientNetworkHost
00000009.00000002.608328065.0000000005BF0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2205:$x2: NanoCore.ClientPluginHost
  • 0x2320:$s4: PipeCreated
  • 0x221f:$s5: IClientLoggingHost
00000009.00000002.608687073.0000000005C70000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
00000009.00000002.608687073.0000000005C70000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
00000009.00000002.596609688.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 37 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.invoice pdf.exe.5c20000.18.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1deb:$x1: NanoCore.ClientPluginHost
  • 0x1e24:$x2: IClientNetworkHost
9.2.invoice pdf.exe.5c20000.18.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1deb:$x2: NanoCore.ClientPluginHost
  • 0x1f36:$s4: PipeCreated
  • 0x1e05:$s5: IClientLoggingHost
0.2.invoice pdf.exe.4596768.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe38d:$x1: NanoCore.ClientPluginHost
  • 0xe3ca:$x2: IClientNetworkHost
  • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.invoice pdf.exe.4596768.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe105:$x1: NanoCore Client.exe
  • 0xe38d:$x2: NanoCore.ClientPluginHost
  • 0xf9c6:$s1: PluginCommand
  • 0xf9ba:$s2: FileCommand
  • 0x1086b:$s3: PipeExists
  • 0x16622:$s4: PipeCreated
  • 0xe3b7:$s5: IClientLoggingHost
0.2.invoice pdf.exe.4596768.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 72 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoice pdf.exe, ProcessId: 4248, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LXAiHtFKpy' /XML 'C:\Users\user\AppData\Local\Temp\tmpF83F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LXAiHtFKpy' /XML 'C:\Users\user\AppData\Local\Temp\tmpF83F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice pdf.exe, ParentProcessId: 6092, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LXAiHtFKpy' /XML 'C:\Users\user\AppData\Local\Temp\tmpF83F.tmp', ProcessId: 4720

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000009.00000002.605830020.0000000003F78000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000009.00000002.596609688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.607587631.0000000005690000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.605830020.0000000003F78000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.352968816.0000000004481000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: invoice pdf.exe PID: 4248, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: invoice pdf.exe PID: 6092, type: MEMORY
    Source: Yara matchFile source: 0.2.invoice pdf.exe.4596768.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.3f86e90.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.5690000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.5690000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.3f86e90.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.3f8b4b9.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.5694629.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.invoice pdf.exe.4596768.2.raw.unpack, type: UNPACKEDPE
    Source: 9.2.invoice pdf.exe.5690000.9.unpackAvira: Label: TR/NanoCore.fadte
    Source: 9.2.invoice pdf.exe.3f86e90.3.unpackAvira: Label: TR/NanoCore.fadte
    Source: 9.2.invoice pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: invoice pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: C:\Users\user\Desktop\invoice pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: invoice pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdb source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: Binary string: 1<pC:\Windows\mscorlib.pdb source: invoice pdf.exe, 00000009.00000002.609095194.000000000605C000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.pdb source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: Binary string: symbols\dll\mscorlib.pdb source: invoice pdf.exe, 00000009.00000002.609095194.000000000605C000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\System.pdbN source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: invoice pdf.exe, 00000009.00000003.473590981.0000000000E50000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: invoice pdf.exe, 00000009.00000002.608240878.0000000005BD0000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: invoice pdf.exe, 00000009.00000002.609095194.000000000605C000.00000004.00000001.sdmp
    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ObXatUjvuT\src\obj\Debug\GenericIdentity.pdb source: invoice pdf.exe, LXAiHtFKpy.exe.0.dr
    Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: invoice pdf.exe, 00000009.00000003.445990560.0000000000E50000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: invoice pdf.exe, 00000009.00000002.609095194.000000000605C000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice pdf.exe, 00000009.00000002.608367585.0000000005C00000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice pdf.exe, 00000009.00000002.608467393.0000000005C20000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice pdf.exe, 00000009.00000002.607965030.0000000005B60000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: invoice pdf.exe, 00000009.00000003.558771698.0000000000E44000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice pdf.exe, 00000009.00000002.608405956.0000000005C10000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.pdbH source: invoice pdf.exe, 00000009.00000002.609095194.000000000605C000.00000004.00000001.sdmp
    Source: Binary string: mscorrc.pdb source: invoice pdf.exe, 00000000.00000002.355767189.0000000005650000.00000002.00000001.sdmp, invoice pdf.exe, 00000009.00000002.607205625.0000000005270000.00000002.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice pdf.exe, 00000009.00000002.608328065.0000000005BF0000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.pdbstem.pdb source: invoice pdf.exe, 00000009.00000002.601828863.0000000002BD5000.00000004.00000040.sdmp
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_06713160
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_06713150
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 4x nop then mov esp, ebp9_2_06063441

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49703 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49704 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49705 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49706 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49707 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49708 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49709 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49710 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49711 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49712 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49713 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49714 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49718 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49719 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49720 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49721 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49722 -> 23.105.131.171:4040
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49723 -> 23.105.131.171:4040
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs:
    Source: Malware configuration extractorURLs: 23.105.131.171
    Source: global trafficTCP traffic: 192.168.2.6:49703 -> 23.105.131.171:4040
    Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_050728CE WSARecv,9_2_050728CE
    Source: powershell.exe, 00000001.00000002.492695595.0000000002F76000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000001.00000003.485185911.000000000960D000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
    Source: invoice pdf.exe, 00000009.00000002.608405956.0000000005C10000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: powershell.exe, 00000001.00000002.498141134.0000000004C2F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.445658973.0000000007DFC000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.498141134.0000000004C2F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000001.00000002.496196756.0000000004AF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.498141134.0000000004C2F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: invoice pdf.exeString found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd
    Source: invoice pdf.exeString found in binary or memory: http://tempuri.org/Shops_DBDataSet.xsd9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPrope
    Source: powershell.exe, 00000001.00000002.498141134.0000000004C2F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.445658973.0000000007DFC000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000001.00000002.498141134.0000000004C2F000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.445658973.0000000007DFC000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000001.00000003.452222503.0000000005620000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.458264178.0000000005392000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.464565943.00000000058F2000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
    Source: invoice pdf.exe, 00000000.00000002.349881713.00000000034BE000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
    Source: invoice pdf.exe, 00000009.00000002.607587631.0000000005690000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000009.00000002.596609688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.607587631.0000000005690000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000009.00000002.605830020.0000000003F78000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.352968816.0000000004481000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: invoice pdf.exe PID: 4248, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: invoice pdf.exe PID: 6092, type: MEMORY
    Source: Yara matchFile source: 0.2.invoice pdf.exe.4596768.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.3f86e90.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.5690000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.5690000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.3f86e90.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.3f8b4b9.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.5694629.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 9.2.invoice pdf.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.invoice pdf.exe.4596768.2.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000009.00000002.608328065.0000000005BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608687073.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.596609688.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.596609688.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.608111677.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.607587631.0000000005690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608591854.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608367585.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608540807.0000000005C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608795664.0000000005CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608240878.0000000005BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.607965030.0000000005B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.608467393.0000000005C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.352968816.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.352968816.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000009.00000002.608405956.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000009.00000002.607281526.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: invoice pdf.exe PID: 4248, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: invoice pdf.exe PID: 4248, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: invoice pdf.exe PID: 6092, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: invoice pdf.exe PID: 6092, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.invoice pdf.exe.5c20000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.invoice pdf.exe.4596768.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.invoice pdf.exe.4596768.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.invoice pdf.exe.5bf0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.3f86e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c40000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c10000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5bf0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c50000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5bd0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.52d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5ba0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5690000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c10000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c70000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5ca0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.2f31284.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5bd0000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c00000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5690000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.3f86e90.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5b60000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c40000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5ba0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.3f8b4b9.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5694629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5c74c9f.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.5ca0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 9.2.invoice pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 9.2.invoice pdf.exe.5c7e8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.invoice pdf.exe.4596768.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.invoice pdf.exe.4596768.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: invoice pdf.exe
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_0507136A NtQuerySystemInformation,9_2_0507136A
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_0507132F NtQuerySystemInformation,9_2_0507132F
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_00BD62A00_2_00BD62A0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_00BD56830_2_00BD5683
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_00BD62D20_2_00BD62D2
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_015082290_2_01508229
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D21780_2_055D2178
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055DFDF00_2_055DFDF0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D4D810_2_055D4D81
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055DCDA80_2_055DCDA8
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D1C100_2_055D1C10
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D64E00_2_055D64E0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D3B1F0_2_055D3B1F
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D569B0_2_055D569B
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D46900_2_055D4690
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D216A0_2_055D216A
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D71D80_2_055D71D8
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D81D00_2_055D81D0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055DD5C00_2_055DD5C0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D91F20_2_055D91F2
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D71E80_2_055D71E8
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D45E10_2_055D45E1
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D81E00_2_055D81E0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D51B90_2_055D51B9
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D7C700_2_055D7C70
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D7C600_2_055D7C60
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D643F0_2_055D643F
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055DD0380_2_055DD038
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D87CB0_2_055D87CB
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D83C00_2_055D83C0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055DDBF00_2_055DDBF0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D83B00_2_055D83B0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D86580_2_055D8658
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D86490_2_055D8649
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_067115600_2_06711560
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_067102580_2_06710258
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_067108280_2_06710828
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_067102480_2_06710248
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_0671081B0_2_0671081B
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_06710B000_2_06710B00
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_067111E00_2_067111E0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_06710BC10_2_06710BC1
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D0A580_2_055D0A58
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 0_2_055D0A540_2_055D0A54
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_005562D29_2_005562D2
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_005556839_2_00555683
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_005562A09_2_005562A0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B023A09_2_02B023A0
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B02FA89_2_02B02FA8
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B0AF339_2_02B0AF33
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B084689_2_02B08468
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B090689_2_02B09068
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B0306F9_2_02B0306F
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_02B0912F9_2_02B0912F
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_0606226F9_2_0606226F
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_060640909_2_06064090
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_06064C909_2_06064C90
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_06064D579_2_06064D57
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_060621A89_2_060621A8
    Source: C:\Users\user\Desktop\invoice pdf.exeCode function: 9_2_060615A8